In 2015, the U.S. government increased its spending on the Internet of Things (IoT) by 20 percent—nearly $9 billion—according to a report released last year. It’s a great step forward as the federal space increasingly looks to IoT to increase productivity, provide real-time solutions and predict and preempt potential problems.
Unfortunately, as with so many great things, this growth comes with a coterie of risk. Increased use of IoT devices also means huge amounts of new federal data traversing the Internet within easy reach of cyber criminals. Meanwhile, as more and more federal assets become embedded with sensors, would-be adversaries have a number of new avenues for accessing and breaching federal infrastructure.
Federal agencies do have some IoT security policies in place, however. For example, the National Institute of Standards and Technology (NIST) recently chose the compact SHA-3 as the new algorithm for smart devices, i.e. IoT. But, while such steps help provide better IoT security, there is still much more we can do.
Here are three ways federal agencies can combat the risks of IoT:
One: Protect the device from the rest of the world
By 2020, it’s estimated that 50 billion IoT devices will be active, each with different roles and responsibilities, but all with the same core problem: They’re easily compromised.
Recently we’ve seen instances of thousands of IoT devices compromised and used for DDoS attacks against businesses and individuals. Preventing such attacks from succeeding requires stronger security practices.
Stronger authentication is a great place to start. In the current Internet age, passwords still reign supreme, but how does this work in a world of devices without screens or keyboards?
In short: It doesn’t. However, there are ways to strengthen authentication, and federal agencies should explore them. One option is using next-gen wearables to authenticate users wishing to access IoT data. A wearable ‘knows’ who you are by collecting personal data, and is difficult to fake. A step further would be biometric authentication or using security tokens.
Critical to ensuring that federal decision makers are ready for and understand the risks of IoT is education.
Information at a federal level can be sensitive and highly attractive to adversaries or competitors. With the influx of IoT devices, federal IT decision makers must understand that more information will be online than ever before.
Implementing IoT requires a risk analysis process. They need to decide what data they can share via IoT, thus balancing business goals with cybersecurity. Simultaneously, they must also ensure that IoT devices adhere to privacy regulations. With millions of data points, there has to be a strategy for understanding and managing how that data is used, stored and then deleted.
Traditional networking is built upon standards such as TCP/IP, thus allowing networks from different organizations to connect and communicate. In contrast, IoT spans a huge spectrum with fewer standards or guidelines. This makes IoT difficult to defend and difficult to integrate with existing federal technologies.
Currently, manufacturers decide how to set up and secure devices. This leads to varying levels of security and interoperability. Federal agencies need to work with the IoT industry to develop a more open ecosystem, complete with industry standards.
IoT provides a number of potential benefits for the federal space, but risks remain. There’s a long road ahead, but with stronger authentication methods, education and industry collaboration, the federal government could thrive in the IoT revolution.
Chris Crider is a senior technical consultant at Force 3.