The internet of things (IoT) has ushered in a new and complex world of cybersecurity threats placing federal agencies at risk. Nearly nine out of 10 agencies consider the security of IoT devices “essential” for executing their missions. Connectivity, cost-efficiency and productivity advantages make the IoT indispensable. Yet, in the same study, 58 percent describe themselves as – at best – only “somewhat” confident in their ability to protect these devices, if not answering “not very” or “not at all” confident, according to research from the Government Business Council (GBC).
What’s more, the IoT’s presence within government networks will continue to grow, as 40 percent of agencies view IoT expansion as a priority, with 17 percent saying this is a “high” or “critical” priority, according to GBC’s report. But, at the same time, agencies indicate that they struggle to secure IoT due to a lack of funding (as cited by 39 percent of survey respondents), slow procurement processes (39 percent) and unavailable technical expertise (30 percent).
These numbers are eye-catching and a symptom of a broader, strategic challenge: The government is attempting to counter a new and unfamiliar risk – hackers seeking to exploit multiplying, non-traditional IoT devices – with what amount to “competing” security versus compliance instincts, sometimes at each other’s expense.
When it comes to securing federal networks, the perceived effectiveness of IT leaders is primarily based on how compliant they are based on periodical audits, some of which only happens on an annual basis. Successful completion of current compliance reviews and approval do not adequately prepare a federal organization to defend itself from today’s cyber adversaries. Traditional compliance efforts such as the CIO Cybersecurity Scorecard are fairly limited in responding to current threats. These benchmarks reflect thinking from well before the IoT’s rise, when the bar for information assurance was much lower. Any compliance effort primarily focused on known Microsoft Windows based endpoints, has very limited effectiveness today, if the goal it address the most foundational cyber hygiene challenges.
Attackers recognize this. They realize that a compliance-driven methodology doesn’t effectively address IoT exposures and attack vectors. In U.S. government settings, agencies’ stakes in cyber security should motivate a shift to playbooks that places a premium on complete and continuous visibility and control of all IP-based endpoints – that is, preventative measures and protection – instead of primarily being focused on “once in a while” auditing scores that do not even account for many existing IoT assets – or worse, audits failing to take IoT risks into consideration.
The good news is that voices within government are already driving change. At AFCEA’s Energy and Earth Sciences IT symposium in July, Robert Powell, senior advisor for cybersecurity in NASA’s office of the chief information officer, noted, agencies “can get so overly focused on compliance and trying to get a good grade or a good score, or be green or what have you, when really what we need to be focused on is risk. If you forget that basic principle of ‘How do I manage risk, why do we even have a risk process in place?’ If we’re going through compliance exercises at the expense of not focusing on risk, then that’s a broken model.”
So how can agencies fix or rebalance ‘broken’ risk models? First, government leaders must overcome uncertainty about what’s “out there” on their networks by gathering hard data and insight. Assumptions will cloud risk perceptions and agencies do not have time for guesswork, they need to look out there and establish complete visibility of what is on their networks, and what software is running on those devices. Incorporating best practices and standards from the National Institute of Standards and Technology (NIST) Cybersecurity Framework and the SANS Institute, experts have constantly preached the mantra, “You cannot protect what you cannot see.” Until you continuously shine a light to identify all IoT assets touching your network, you cannot prevent today – or tomorrow’s IoT fabric from introducing unchecked risk. It is also important to consider the kind of “light” you are shining, because most traditional network scanning solutions are unable to recognize newly-connected, non-traditional IoT devices running non–standard operating systems, which prevents the installation of third-party security software. In an effort to gain complete visibility across the enterprise, it is therefore paramount that the solutions leveraged do not require its software to be installed in the IoT asset.
Once you’ve acquired total visibility, you classify what you’re seeing. You determine what each device is – from “smart” thermostats and HVAC gear to security cameras or facility systems – and what it is supposed to do. With this vantage point, you develop baselines of routine, acceptable activity to better recognize unusual and possibly threatening patterns.
Finally, you implement a network admission-based dynamic network segmentation architecture. To illustrate how, let’s use a common IoT example of a mission-critical, discrete connected device like a heart monitor in a hospital. This equipment might run on a version of Microsoft Windows – much like an agency’s fleets of laptops. However, there are significantly different warranty considerations for heart monitors, and its operating system is embedded and more complicated to patch for known vulnerabilities. Therefore, the strict enforcement of designated network segments, assures the organization that these heart monitors remain in their own “lane”, in order to prevent needless disruption or breach exposures. This way organizations can keep security issues affecting heart monitors, security cameras, HVAC systems or similar devices from affecting other assets – and vice versa.
Our community is discovering new IoT innovations, use cases and risks every day. While we are still in early stages of the IoT transformation, there is a finite window to act and prevent competing directives or outdated cyber playbooks from consuming excess time and security resources. As the IoT rise causes us to rethink how our notions of networks are changing, it is natural to rethink what this means in terms of accounting for every device and managing the associated risk. By “seeing” all there is to see and then classifying and segmenting the IT assets, organizations gain a greater state of awareness about what is happening, why it’s happening, and how to automate the mitigation process of what shouldn’t be happening. Then the IoT doesn’t look so mysterious – or scary – anymore.
Niels Jensen is senior vice president for U.S. Public Sector at ForeScout Technologies.