The Internet of Things raises just as many challenges as it does opportunities — giving agencies both a wealth of real-time data and a broader surface area for cyberattacks.
At the State Department, Landon Van Dyke, a senior adviser on energy, environment and sustainability and the agency’s head of analytics, sees IoT devices as an opportunity to give U.S. embassies in 190 countries a snapshot of their air quality — just one of several data points IoT devices can provide to better secure diplomatic facilities.
Van Dyke, the State Department’s former chief sustainability officer, said the agency also has partnerships with governments to help them set up to their own network of IoT sensors for generators, building management systems and more.
“It’s been quite a fun journey for us, to not only use the technology and try to secure it for our own use, but also to be able to share it around the world as part of our diplomatic mission,” Van Dyke said Sept. 5 at World Wide Technology’s Industry Day in Washington.
Karen Evans, the Energy Department’s assistant secretary for the Office of Cybersecurity, Energy Security and Emergency Response (CESER), said IoT devices may provide private-sector energy companies with valuable data in near-real-time, but those same sensors and smart meters can become a vulnerability for the country’s national infrastructure without the right safeguards.
“It’s cool that we’re going to have solar panels, it’s cool that we’re going to have wind turbines, it’s cool that I have a Nest system in my house, it’s really cool that I can control the temperature from my phone, [but] all of those devices end up connecting eventually to the grid … each one of those devices end up becoming a new attack vector into the grid,” Evans said.
The Energy Department serves as a major partner in the Department of Homeland Security’s National Risk Management Center, which serves as a threat information-sharing hub for government and industry.
In many cases, Evans said executives in the electric, oil and natural gas industries function as the eyes and ears of the government when it comes to better understand the cyber threats from IoT devices.
“They understand exactly what the landscape is. They understand exactly how these devices are being used, and they know how they’re being held accountable,” she said.
The government, meanwhile, has taken the long-term view, rolling out supply chain security initiatives to ensure that IoT-connected devices have sufficient cybersecurity standards — something that the average consumer, or even agency procurement officers might not factor into their purchase.
“I don’t think the average consumer says, ‘Wow, these [solar] panels are manufactured in the United States, so they’re more secure. These panels are now manufactured over in another country, and they are less secure.’ They look at who’s giving me free shipping, and who has the cheapest price,” Evans said.
The State Department depends on a secure supply chain for its solar panels, Van Dyke said, considering that 35 embassies rely on solar energy as part of an overall resilience strategy.
“There’s a little bit of backfill for a lot of people that sit there and go, ‘We do have all these vulnerabilities or potential vulnerabilities, how do we mitigate it?’ It goes back to the architecture and figuring out how we can do that, but then looking at the supply chain, and figuring out where do we find our suppliers,” he said.
State’s resilience strategy also includes using sensors for bigger-picture projects, such as measuring and tracking seismic and floodplain data to ensure embassies remain safe from natural disasters.
“When we build an embassy, hopefully, it’ll be around for 50-to-100 years,” Van Dyke said, adding that the agency has also leveraged satellite and geospatial information to gain insights on the integrity and longevity of buildings.
The opportunities and threats of IoT devices are also evident in State’s use of sensors for its global fleet of more than 14,000 vehicles. Those sensors can give management data better intelligence of safe driving practices as well as wear-and-tear on the vehicles, but the agency also needs to ensure that data doesn’t fall into the wrong hands.
“When you buy a new car these days … that information gets uploaded to the dealer. Now for the U.S. embassy, we probably don’t want that information just uploaded to a local dealer,” Van Dyke said.