Whether at the bottom of your coffeemaker or the inside of a nuclear cooling tower, internet-connected devices are everywhere, including the federal government. And with no end in sight for the Internet of Things, agencies are balancing the range of these devices alongside added risks.
Speaking at a Sept. 20 MeriTalk cybersecurity event in Washington, D.C., Katerina Megas, program manager for the Cybersecurity for Internet of Things at the National Institute of Standards and Technology, said “lines are blurring” when it comes to commercial and industrial, and public and private sector uses.
“I don’t know if we can say any longer, ‘What’s the path forward for the U.S. federal government and IoT?'” Megas said. “I think we need to solve the problem as a nation.”
Megas said NIST is looking at publishing a report that provides an introduction for industry or a federal agency, to topics they might want to consider around the area of IoT.
“When you purchase a device, are you asking whether that device has connectivity, because it has an embedded wireless chip, and the manufacturer may have embedded that chip because it serves their purposes,” Megas said. “You don’t know what you don’t know, that is always the worst; you don’t know to ask the questions. So what we’re trying to do is bring around some awareness to federal agencies to start asking the right questions.”
Chaos and complexity
When it comes to the right questions to ask, Commerce Department acting Chief Information Officer Rod Turk said that doesn’t have to be a complicated task.
He said it’s important for agency CIOs and CISOs to take a step back and look at the Internet of Things from a basic cybersecurity perspective and then assess the varying risk levels.
“Know what’s in your environment,” Turk said. “You may not know all of your IoT, but I’ve got a good hunch that you’ve probably got a sense of where it all is. You know your printers, you know your copiers now have computers in them, and they’re going to be storing information. and they have the ability to take that information and send it out to random places.”
IoT devices follow a process where a sensor collects information, sends it off to an aggregator, who then formats that information and communicates it to the internet or an individual or network.
Ideally in that chain, you know what the sensors are, the location of the aggregator, and have control of the internal communication process between the sensors and aggregator, to manage risk, Turk said.
“You need to spend more time on that high risk stuff. You may have low risks that you’re not worried about, then put the low-rated controls on those and don’t spend as much time,” Turk said. “While there is a lot of chaos, a lot of complexity in IoT, I think a lot of the basic cybersecurity discussions still apply. You’ve still got to know what those IoT devices are if you can, and then apply in that chain of how that data is accessed and moved, try to manage that flow of data within that scenario.”
Turk said IoT needs to be looked at more as a commodity, and from a cybersecurity standpoint is headed toward a risk-based approach.
“Which means you’ve got to look at your total environment, you’ve got to look at what one each of those components within that environment does,” Turk said. “So it’s a risk-based process and it’s an assessment each individual CIO and CISO needs to do in their environment, because each environment is different. NOAA Fisheries is different from NOAA’s weather service is different from the Patent and Trademark Office is different from what NIST does. So that assessment needs to be done at the local level, and I think the CISO of the future is going to be a risk manager.”
Megas agreed that there is no silver bullet to addressing IoT risk. What industry needs to do is provide a framework and allow each organization or agency to assess their own risk.
“There might be areas in health care where you may opt to expose yourself to some risk because you just cannot have a connective pacemaker be less than reliable,” Megas said. “You can’t allow it to skip a beat.”
Michael Valivullah, chief technology officer at USDA’s National Agricultural Statistics Service, said thanks to people’s creativity, IoT devices are sometimes used in ways and in areas different from their original design.
There needs to be a test case or proof of concept, Valivullah said, to see if the device is functioning the way it should be and providing the expected usefulness.
“That could be risk management, that could be putting more controls on it, more compliance on it,” Valivullah said. “I think we need to help industry understand our needs and help them devise those things that we consider important in terms of control and security. Hopefully, it is going to be more give and take of who the designers are, who the manufacturers are, who the producers are, and also the users on the other side. There is going to be some sort of a balance that needs to take place. We don’t want to suffocate innovation and put all these restrictions on it, but at the same time we don’t want to be at a place where it is all wild wild west and a free for all and you lose control of the device.”