Securing the Internet of Things tide
The long-promised Internet of Things (IoT) storm has arrived in force, bringing with it a combination of good and bad news for state and local government agencies.
First, the good: the IoT has the potential to offer state and local municipalities real and tangible benefits for their citizens. The IoT is already powering smart city efforts throughout the country, through things like smart grids, automatic flood detection, and more. The city of Chicago alone has an initiative called the “Array of Things”—a massive open data effort that relies on sensors to turn Chicago into “the most data-driven government in the world,” according to former Mayor Rahm Emanuel. These big picture, large-scale innovations offer the promise of a safer and more efficient way of life for citizens.
But state and local IT teams are faced with an IoT flood of their own. This tsunami has taken the form of millions of small devices that are using agency networks to communicate and share information. We’ve moved beyond the quaint “bring your own device” trend into a world where government workers are using an endless sea of technologies, from smartwatches to smart speakers, all of which are difficult to track and secure.
Let’s explore some strategies that state and local government IT professionals can employ to batten down the network hatches and weather this storm.
Containment is key
Any approach to dealing with the IoT must first start with the recognition that it is not something that can be “managed” traditionally. There are now 7 billion IoT devices in circulation according to research from IoT Analytics. Those devices come in different forms and run on various (mostly proprietary) operating systems. To adopt a sports phrase, you can’t stop them, you can only hope to contain them.
In a sense, that’s what the National Institute of Standards and Technology (NIST) is advocating for the federal government. NIST recently published NISTIR 8228, which provides guidelines on how best to manage cybersecurity and privacy risks related to the IoT. The publication advocates focusing on protecting device security, data security, and individuals’ privacy without objecting to the use of IoT devices in public agencies. It accepts them as fact and encourages organizations to better understand their use of IoT and how it impacts security.
While the publication is geared toward federal agencies, the same principles and challenges that NISTIR 8228 addresses clearly apply to the state and local government sector. IT professionals at these levels need to secure their devices and data while protecting their workers’ rights to privacy. That’s hard to do when faced with thousands of non-secure access points.
Visibility is critical
Of course, you can’t secure what you can’t see. Many IT managers simply do not have visibility into all—or even probably most—of the IoT devices that are being used daily on their networks. They may not know that there’s a problem, or where the problem is coming from, until it’s too late. As such, IoT can be a particularly insidious form of shadow IT that can significantly broaden an agency’s attack surface without IT managers even realizing that it’s happening.
Taking stock of every device that is in use is essential, but even that in and of itself isn’t necessarily enough. IT professionals should be able to gain a precise understanding of device behavior to ensure that connected devices are not acting in a suspicious or potentially malicious manner. For example, is that connected printer doing what it’s supposed to be doing? Or is it exhibiting signs of being an information-sharing node? If it’s the latter, it’s time to take action.
Action is necessary
Once a device is flagged, IT administrators will want to automatically kill any applications running on the device. Securing the IoT is about application awareness more than anything else. Administrators must gain a solid understanding of how apps are transmitting information in order to better protect their networks and data.
Creating protocols around unsanctioned devices is also a good idea. State and local IT professionals should consider developing whitelists for devices that are allowed on their networks. Then, assert further control by tracking and blocking rogue devices. Those devices that are allowed should be consistently patched and updated to help ensure that they are better protected.
Secure—not stem—the tide
There are some agencies out there that have adopted strict “no consumer devices” policies, but those are few and far between. For most, the IoT horse left the barn years ago when employees began using their personal smartphones for work.
Now, it’s too late to turn back—and really, do we want to? As much of a challenge the IoT poses, use of connected devices propagates greater efficiency and employee satisfaction. Perhaps the best state and local IT professionals can do is to secure the tide—rather than stem it—by expanding their perspectives and processes when it comes to fortifying IoT devices.
Mav Turner is group vice president of products at SolarWinds.