The proliferation of internet of things (IoT) connected devices is on a steady rise. Analysts predict that from now through 2020, the number of connected "things" will grow from 13.5 billion units to 38.5 billion units, a growth of over 285 percent.
While many people think of commercial devices — like smart TVs and thermostats — as making up the bulk of IoT devices, IoT devices among the public sector should not be discredited. Overall, the federal government
spent nearly $35 billion on IoT solutions from fiscal year 2011 through fiscal year 2015. The electrical grid, smart cities and police body cameras are just some of the connected industrial and government applications.
But with the growth of IoT devices comes a larger surface from which adversaries can exploit vulnerabilities and launch cyberattacks. IoT connected devices are especially susceptible to network-borne threats. This is all the more paramount for public sector devices, whose breaches could have potential national security implications.
Reports of IoT attacks in the private sector are becoming increasingly common. Most recently, an attacker deployed a massive botnet in a DDoS attack on Dyn, the DNS provider shared by popular websites like Twitter, Reddit and Spotify. What set this attack apart from other DDoS attacks is that the user used a botnet comprised of IoT devices, such as webcams and DVRs, to overwhelm Dyn with more traffic than it could handle.
And a recent
report found that attackers used IoT devices to remotely generate attack traffic by exploiting a 12-year-old vulnerability in OpenSSH, dubbed SSHowDowN Proxy. Attacks originated from devices including video surveillance such as CCTV and DVR devices, satellite antenna equipment and networking devices such as Routers and Hotspots. Once malicious users had access to the web administration console, they have been able to compromise the device's data and in some instances, fully take over the machine.
Steps the public sector can take
Luckily, a major IoT-based attack has not happened in the U.S. public sector — yet. To prevent such an attack from occurring, the government must learn from the IoT vulnerabilities currently plaguing the private sector and go beyond mandates to implement strong IoT cybersecurity hygiene.
Update outdated IT infrastructure: The issue of legacy technology has been a long-standing point of contention, with a GAO report finding that federal agencies are spending a lot of money caring for aging IT systems. Most government systems were designed decades ago without any expectations of connecting to a network or web front-end. As a result, outdated government infrastructure is already challenged with managing IoT connected devices, to say nothing about the cybersecurity considerations of protecting such devices. Modernizing legacy technology is a first step in fully maximizing the benefits of IoT and ensuring that protection is in place from the beginning.
Create a smart workforce: Training employees to have sound cybersecurity practices can have a significant impact on IoT security. This can range from combatting insider threats to making sure that employees know what to do in the event of a cybersecurity breach. And with IoT connected devices, this could also mean placing additional access controls on industrial control systems so that only the right employees have access to the most critical information.
Collaborate with the private sector: Part of the problem when it comes to IoT security is that manufacturers are putting IoT devices into the market that have not been properly vetted for security standards before they are plugged into networks. Many IoT devices are often protected only by their factory-default passwords, an easy thing for hackers to bypass. A recent letter from the co-founder of the Senate Cybersecurity Caucus following the Dyn attack pushed federal agencies to look at possible solutions to combat such threats facing the private sector. This doesn't necessarily mean that the government should step in with new regulations; rather, it's important that the federal government remains aware of IoT vulnerabilities impacting the private sector and is open to engaging with other agencies and organizations if needed.
Develop a cloud strategy: Complex cloud computing architecture is required for IoT deployment at the federal level. A report found that the federal cloud services market is booming thanks to the growth of cloud storage in particular. As more agencies deploy IoT sensors, those sensors will generate large amounts of data that will be stored in the cloud. IoT is especially dependent on cloud storage and back-end development tools under the Infrastructure-as-a-Service (IaaS) model. Whether a public, private, or hybrid cloud, agencies must ensure that their cloud storage and security strategies are in place to both handle and protect the large amounts of data generated by IoT sensors.
Bridge the gap between OT and IT: The way that risk is perceived by workers in Information Technology (IT) versus Operational Technology (OT) varies greatly. According to a report from the Industrial Internet Consortium (IIC), "Resilience in IT is less important than in OT and security is less important in OT than in IT." OT departments must think about security differently, beyond gates and locks, while IT departments must consider more advanced and sophisticated security features, like encryption. For strong IoT cybersecurity, OT and IT security considerations cannot operate in separate silos, but instead must come together for a new, cohesive cybersecurity strategy.
IoT security should be a top priority for the federal government as IoT devices become more sophisticated. The
IIC report found that "a successful [cyber]attack on an industrial internet of things system has the potential to be as serious as the worst industrial accidents," citing Chernobyl or Bhopal.
The federal government is in an ideal position right now to address IoT cybersecurity proactively, from the front end rather than scrambling to tack on security measures after IoT connected devices become even more widespread and nuanced.
Tom Ruff is the vice president of public sector for Akamai Technologies where he helps federal and state government agencies, as well as higher education institutions, accelerate and improve the secured delivery of content and applications over the Internet and in the cloud. Tom has more than 30 years of IT industry experience, having held numerous executive management positions at Fortune 500 companies.