If it's connected, it's vulnerable: Know the risks.
The Internet and the global network of computers and connected devices we have come to rely on is undergoing a revolution. With small, connected sensors measuring roadways, car seats, satellites, animals, household appliances and even pacemakers, massive data sets are available to manufacturers and consumers alike. As the commercial sector and consumers are learning what this revolution means for them, government agencies should anticipate the security concerns of this rapidly changing information ecosystem and identify how to leverage this revolution for the benefit of all.
Because of the seamless manner in which the Internet of Things (IoT) is assimilating into public spaces and critical infrastructures, it is imperative for the public sector to strategically engage with connected devices and data. Federal, state and local governments are positioned to gain new insights into public services, improving their ability to respond to change and ensure continuity of operations in a crisis. Planning now will determine both the benefits and the risks this system brings because when everything is connected, everything is vulnerable.
Government CIOs and organizations should understand three primary focus areas to successfully establish an enterprise strategy for securing public sector engagement in the IoT:
Know the data. With the large amount of data generated by the IoT from numerous sources, a key question will be the continuing reliability of the data. The answer can actually be found within existing government strategies that provide information assurance and interoperability of For Official Use Only (FOUO) and classified systems. The largest and most secure information sharing environments are currently those found within .gov and .mil, and they offer a way forward for the public sectors’ engagement with IoT.
Data can be encrypted with simple tools like Secure/Multipurpose Internet Mail Extensions (S/MIME) or more complex systems like Information Rights Management solutions. Data separation and risk containment can be provided through virtual machine technology, database containers and cross-domain solutions brought over from the military domain.
Additionally, systems must be hardened, not just patched; unnecessary services and applications must be removed, and remaining software configured appropriately. So many systems built for the IoT either on the device side or on the cloud side are based on multipurpose operating systems and are left with many features running that unnecessarily expose risk. And, most critically, the use of the data should be monitored with a privileged user monitoring and insider threat tools.
Know the device. Keith Alexander, the National Security Agency’s former director, once said, “The cyber domain is a dynamic domain that changes every time you power on a device.”
With each new device that enters this changing domain, new vulnerabilities and threats are introduced. An adversary will have not only this new target with its vulnerabilities to exploit, but he will also have a new path from which to attack the other entities on the network. A good security organization must do research on new devices to understand not just how to use a device, but also what is embedded in the device, what data is generated and transmitted, where the device’s data is transmitted and what connections will it accept from other devices – among a host of other concerns.
Most important, federal organizations must know and prepare for the advantages an adversary may gain from access to the sensors and data generated by a connected device, as well as by the other personal devices users are bringing into the building.
Know the insider. The IoT is based on the collection of data that is often personal and sensitive, particularly in the aggregate. This data is valuable not only to society but to our potential adversaries. Protecting sensitive data from external threats has been the focus of cybersecurity investments since the first computers were used. But that’s only half the story. It is critical for agencies to have insider-focused security and continuous monitoring that can detect anomalies and inappropriate privileged user activity so they can determine when information has been accessed inappropriately. These strategies must include behavioral analytics, not just simple rules and policies. While direct external cyber threats remain, episodes such as the Target, Wikileaks and the Snowden breaches have shown that the most significant risk of damage to customer trust and to our missions is posed by internal system access.
The IoT has the potential to help us to create and process more data than ever before on everything from the food we grow, to our use of power and water, to how we drive on the highway. These new insights can be powerful enablers in the hand of government, but only if we plan for it. Making sure this system of systems is secure will help us ensure the IoT delivers its promise of human advancement.
Michael Daly is CTO, Raytheon Cyber.