The National Institute of Standards and Technology wants to make sure agencies understand the added challenges of cybersecurity for internet of things. That’s why it’s producing a new guidance document on the subject. The draft opened for public comments on Sept. 24, and will remain open until Oct. 24.
“The real unique thing about IoT is that it’s not just sensing data, of course,” James St. Pierre, deputy director of the IT Laboratory at NIST, said at FCW’s Sept. 27 Accelerate Gov event. “It can also actuate. It can have changes in the kinetic and physical world. That brings a whole new risk profile with it.”
Insight by Carahsoft: This exclusive e-book demonstrates just how far agencies have come and where they still need to go to take fully advantage of DevSecOps to drive modern capabilities to their customers.
He said that the new document is also the first in a series that will begin to consider cybersecurity and privacy together. He said it will also consider IoT-specific guidance, like the use of Manufacturer’s User Descriptions, or MUDs.
MUDs tell an IoT device who or what it can connect and share information with. That’s important, because IoT devices have already been subverted to support botnet attacks, like the Mirai attacks of 2016. St. Pierre said most people probably didn’t realize, but their IoT devices, such as DVRs, were contributing resources to those attacks even while they continued to function normally. But with a MUD, that wouldn’t be possible.
He said agencies’ use of IoT is becoming more prevalent, particularly in the areas of standards and measurements, and that’s changing business models.
“I think IoT is a little more understandable than some other technologies,” St. Pierre said. “With any new technology there’s some interest in ‘we’ve got to start using it. My boss wants me to start using that.’ With IoT, my sense is that people are using it fairly well, to improve efficiency, effectiveness, maintenance, the smart building applications.”
That’s the way the State Department has been using it, said Landon Van Dyke, the department’s senior adviser for Energy, Environment and Sustainability. The State Department started getting into IoT after the Energy Act of 2005, which required all federal buildings to incorporate smart meters by 2012.
“In the process of doing that, we recognized there’s money to be saved here by looking at the granular data,” Van Dyke said at the FCW event. “And so we started piloting that overseas. At a certain point we realized we wanted to take all that information and infrastructure and take it off of our business network and create our own network so that there’s less exposure and less cyber risk.”
Now the department uses various kinds of IoT sensors at their embassies overseas. They track air and water quality and usage. They track energy and fuel consumption, as well as the location of vehicles and the types of terrain they traverse. At this point, he said the department receives 15,000 data points every fifteen minutes from their IoT networks.
The efforts and data also support diplomacy missions, not just resource and business management, he said.
“You have to understand, in places like Africa, American embassies have water treatment plants on site. So when we take the water in, we do clean it, and it does go back, usually cleaner than when we see it,” Van Dyke said. “Making that type of information publicly available is powerful in a sense of, if you’re part of that community, you look and go ‘wow, the Americans are doing that.’ and you look around the rest of the neighborhood and you go ‘why isn’t that company doing that? Why aren’t they doing that? What are they putting into our water?’ So we’re looking at this as an opportunity to engage the earth science field but also just the community at large on what’s happening in their community, and using data to do that.”
He said the State Department has two postures for IoT: on compound, and off compound. Devices that are off compound are obviously less secure, so the agency takes a closer look at what it’s deploying in those circumstances. Especially, Van Dyke said, now that it’s getting harder to procure items that are not WiFi or Bluetooth capable.
St. Pierre said this is when it becomes important to establish a baseline for security on your IoT devices. Some devices can be protected, but others are “dumber,” with fewer resources and less computing ability. These devices may need to be behind a firewall.
Van Dyke said State Department has experimented with that some in the past. As they were testing devices to hook up to their networks, they connected some of them into the firewall just to see what the devices were doing.
“Some of them call home to countries where you don’t want them to be calling home,” he said.
St. Pierre said this may lead NIST to begin establishing different classes of IoT items, to give agencies who adopt them a better idea of what kinds of security measures need to be taken. He said this new guidance takes a first swipe at what those classes and baselines might look like.