If it's connected, it's vulnerable: Know the risks.

Government agencies should anticipate the security implications of the Internet of Things and identify how to leverage this revolution for the benefit of all.

The Internet and the global network of computers and connected devices we have come to rely on is undergoing a revolution. With small, connected sensors measuring roadways, car seats, satellites, animals, household appliances and even pacemakers, massive data sets are available to manufacturers and consumers alike. As the commercial sector and consumers are learning what this revolution means for them, government agencies should anticipate the security concerns of this rapidly changing information ecosystem and identify how to leverage this revolution for the benefit of all.

Because of the seamless manner in which the Internet of Things (IoT) is assimilating into public spaces and critical infrastructures, it is imperative for the public sector to strategically engage with connected devices and data. Federal, state and local governments are positioned to gain new insights into public services, improving their  ability to respond to change and ensure continuity of operations in a crisis. Planning now will determine both the benefits and the risks this system brings because when everything is connected, everything is vulnerable.

Government CIOs and organizations should understand three primary focus areas to successfully establish an enterprise strategy for securing public sector engagement in the IoT:

Know the data. With the large amount of data generated by the IoT from numerous sources, a key question will be the continuing reliability of the data. The answer can actually be found within existing government strategies that provide information assurance and interoperability of For Official Use Only (FOUO) and classified systems. The largest and most secure information sharing environments are currently those found within .gov and .mil, and they offer a way forward for the public sectors’ engagement with IoT.

Data can be encrypted with simple tools like Secure/Multipurpose Internet Mail Extensions (S/MIME) or more complex systems like Information Rights Management solutions. Data separation and risk containment can be provided through virtual machine technology, database containers and cross-domain solutions brought over from the military domain.

Additionally, systems must be hardened, not just patched; unnecessary services and applications must be removed, and remaining software configured appropriately. So many systems built for the IoT either on the device side or on the cloud side are based on multipurpose operating systems and are left with many features running that unnecessarily expose risk. And, most critically, the use of the data should be monitored with a privileged user monitoring and insider threat tools.

Know the device. Keith Alexander, the National Security Agency’s former director, once said, “The cyber domain is a dynamic domain that changes every time you power on a device.”

With each new device that enters this changing domain, new vulnerabilities and threats are introduced. An adversary will have not only this new target with its vulnerabilities to exploit, but he will also have a new path from which to attack the other entities on the network. A good security organization must do research on new devices to understand not just how to use a device, but also what is embedded in the device, what data is generated and transmitted, where the device’s data is transmitted and what connections will it accept from other devices – among a host of other concerns.

Most important, federal organizations must know and prepare for the advantages an adversary may gain from access to the sensors and data generated by a connected device, as well as by the other personal devices users are bringing into the building.

Know the insider. The IoT is based on the collection of data that is often personal and sensitive, particularly in the aggregate. This data is valuable not only to society but to our potential adversaries. Protecting sensitive data from external threats has been the focus of cybersecurity investments since the first computers were used. But that’s only half the story. It is critical for agencies to have insider-focused security and continuous monitoring that can detect anomalies and inappropriate privileged user activity so they can determine when information has been accessed inappropriately. These strategies must include behavioral analytics, not just simple rules and policies. While direct external cyber threats remain, episodes such as the Target, Wikileaks and the Snowden breaches have shown that the most significant risk of damage to customer trust and to our missions is posed by internal system access.

The IoT has the potential to help us to create and process more data than ever before on everything from the food we grow, to our use of power and water, to how we drive on the highway. These new insights can be powerful enablers in the hand of government, but only if we plan for it. Making sure this system of systems is secure will help us ensure the IoT delivers its promise of human advancement.

NEXT STORY: NIST's future without the NSA

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.