In September, the National Institute of Standards and Technology issued a draft special publication focused on securing the internet of things (IoT).
In the draft, NIST writes many organizations are not necessarily aware of the large number of IoT devices they are already using and how IoT devices may affect cybersecurity and privacy risks differently than conventional information technology devices.
In 2013, the number of devices connected to the Internet globally was estimated to be over 9 billion.
According to the McKinsey Global Institute, an estimated 25-to-50 billion devices will be connected to the Internet by 2025.
Just by those numbers alone, the potential risks are huge and only going to increase.
So as agencies modernize their networks and applications, move to the cloud and depend more and more on these connected devices, there are several factors they need to consider.
How can agencies balance the benefits of connected devices with the concerns about security and privacy?
And then there are the interoperability and standards issues that come with the further implementation of IoT devices.
Ellen Sundra, the vice president of Americas systems engineering for ForeScout Technologies, said, like most cybersecurity decisions, agencies need to balance risk and reward when it comes to IoT devices.
“There is so much value that comes from IoT,” Sundra said on the Innovation in Government show. “But there are some frivolous IoT devices as well. Do I need my dishwasher and my refrigerator connected to the network? What we need to do is identify these devices and identify risk versus reward. Are these devices that are providing enough value that we want to have a potential new risk on our network and how do we protect these devices?”
Part of the challenge is IoT device makers make it easy to connect these devices to the network, which adds another layer of complexity to the discussion.
Sundra said this is why the government’s move to hardware and software asset management, through initiatives such as the continuous diagnostics and mitigation (CDM) program, is so important.
“Certainly we want to modernize our networks. We need to get these older devices off that are no longer supported. They no longer have patches available and introduce vulnerabilities to our network. It also means an influx of IoT devices and new sensors,” she said. “We have to remember these new devices are still operating systems. They are still using embedded Windows. So we need to monitor them. We need to make sure we are patching them, they meet our compliance levels and continuously monitor them.”
Sundra said the first question agencies need to answer is what is connected on their networks today to establish a baseline. She said best practices from NIST and the SANS Institute’s 20 critical security controls, the first thing is hardware asset management, which also happens to be one area where agencies struggle the most.
“Where the organizations struggle is there are no policies around that. If you find an Xbox, what do you do? Do you take it off the network? That is where a lot of our customers stumble is that first step of saying, ‘Oh my gosh, I just found out all of these devices on my network, what do I do next?’” she said. “Another issue we run into is a lot of our customers rely on time-based scans. They do a scan whether it’s once a week or once a day, there always will be devices that are coming on and off our network. So if we are doing that hardware asset management, we can’t rely on scans to tell us what’s connecting to our network at all times. Solutions need to be real time. Then, the other part of that is the reliance on agents. We still have so many technologies that are out there that rely on a piece of software to be installed on the end point to be able to see when it connects to the network. The problem is all of these IoT devices can’t run agents.”
And Sundra said agencies can’t rely on the devices themselves to check back it because they are not a reliable source of information. She said agencies should consider using a third-party tool that is agnostic and can easily integrate with the network to give that visibility and help with the broader modernization effort.
Sundra said initiatives such as the Homeland Security Department’s CDM program and the Defense Department’s comply-to-connect effort are starting to make it easier for agencies to overcome the hardware and software asset management challenges.
She said the three basic tenets of comply-to-connect are:
100 percent visibility and continuous monitoring of the posture of the end points
Devices must meet the organization’s security standards and configurations before they are allowed on the network.
Aggressively automate segmentation so once the device comes on they belong to a particular segment and are not a risk to the rest of network if there is a problem or an attack.
“The Marine Corps was one of the first ones to do a real pilot on comply-to-connect and it was really eye opening,” she said. “The number of IoT and operational technology (OT) devices that we found were astonishing. We found things like at the gate there were sensors, the street lights, different lights in the buildings. They were the first ones to have that eye opening perspective on the devices on their network.”
The Marines Corps built in automation by integrating tools that could detect if a device wasn’t compliant and then make it compliant.
Sundra said agencies need to keep in mind that while the technology is important, it’s one key ingredient in the recipe that also includes people and processes.
About ForeScout Technologies:
ForeScout Technologies is transforming security through visibility, providing Global 2000 enterprises and government agencies with agentless visibility and control of traditional and IoT devices the instant they connect to the network. Our technology continuously assesses, remediates and monitors devices and works with disparate security tools to help accelerate incident response, break down silos, automate workflows and optimize existing investments. As of June 30, 2017 more than 2,500 customers in over 70 countries improve their network security and compliance posture with ForeScout solutions. See devices. Control them. Orchestrate system-wide threat response. Learn how at www.forescout.com.