O'Keefe: Federal experts agree IoT demands simple, baked-in security
By Tom O’Keefe
As the federal government begins to incorporate mobile devices and the Internet of Things (IoT), security must be “baked in,” not “sprinkled on” as an afterthought to avoid hacking.
That’s the verdict from experts in government and the contractor community, who recently met for a panel discussion on “Uniting Cybersecurity, Mobility and the Internet of Things” at immixGroup’s annual government summit on federal budgeting.
The risk of cyber attack through IoT-enabled devices made headlines late last year when a high-profile internet-monitoring and traffic-routing company was hacked in a distributed denial of service (DDOS) attack. A simple malware called Mirai infected consumer DVRs, flooding the company with millions of bogus information requests. The company’s servers were overwhelmed, temporarily knocking out some of the nation’s most visited websites.
Old security precautions don’t fit IoT
Among federal agencies, current security requirements don’t necessarily fit in the new IoT environment. According to Jose Padin, sales engineering director, Federal Civilian & SI for Citrix, the fed’s approach to security “doesn't always translate into consumer-based electronics.”
The answer is for government organizations to develop or purchase new mobile and IoT solutions with security built in, said Michael Theis, with the CERT Insider Threat Center Software Engineering Institute. “I don't think anyone's really widely codified how you go about making sure that things are secure from the beginning,” said Theis.
Padin noted that hardware, firmware and software for IoT-enabled products is “the wild west.” He said government must add security controls into procurement processes for these devices. He also acknowledged that industry must make investments in applying these requirements to all devices, rather than creating government versions.
Bad actors, Padin said, “realize that the weakest link is the consumer.” By building security provisions to products from the start, consumers will no longer be a vulnerability when they buy IoT-enabled appliances.
At a more technical level, the challenge for government is to have the appropriate identity management requirements for mobility and IoT, according to Donna Dodson, director of the IT laboratory and chief cybersecurity advisor for NIST. A personal identity verification card, for example, “works nicely in a laptop or desktop but in a mobile device, not so much.”
“The end users really matter here,” Dodson said. “We need to give them answers that are easy for them to do the right thing, hard to do the wrong thing and easy to back up if the wrong thing is done.” It’s important to think about identity management in the IoT space, she added.
In many cases that may start “at the silicon level,” said Ashish Parikh, vice president of software and solutions at Arrow’s systems integration business. Silicon vendors are becoming concerned with identity and maintaining a “chain of custody to the device, to the network, to the solution,” to ensure appropriate access.
The cloud’s role in IoT development
When it comes to application development incorporating mobility and IoT, panelists concurred that the cloud offers a means of shortcutting the process, with minimal risk to security. Government versions of the cloud are usually more secure than enterprise offerings, which allows people to focus on solving their problem, rather than on building out infrastructure, said Parikh.
“When we talk about IoT and you say, ‘Yes, I'm going to build it from the sensor all the way up to the cloud and I’m going to have all that in my agency,’ good luck. We'll see you in a couple of decades and you'll be left behind,” Parikh noted.
Padin agreed that the cloud offers a more practical environment for the coming wave of IoT applications. IoT sensors, Padin said, generate “tons of data,” and it isn’t “realistic” to house that data in an on-premise system.
What’s more, the data generated by IoT devices ties back to mobility, Padin said. “We have this great pool of data, what do we do with it? People want access to it in real-time, but how?” Mobility can provide active alerting to take action on data in real-time, extended to the mobile device. “All of this is interconnected,” he said. “It’s a system that needs to be thought about completely.”
Despite concerns about security, panelists agreed that there is huge upside potential to IoT for government applications.
“These are really quite exciting times,” said Dodson. “The changes we will see in this nation in the next 10 years will really dwarf what we saw with the IT revolution.”
BIO: Tom O’Keefe is a consultant with immixGroup, an Arrow company that helps technology companies do business with the government. Tom focuses on IT trends in civilian agencies, as well as the Internet of Things and mobility. He can be reached at [email protected], or connect with him on LinkedIn at www.linkedin.com/in/tmokeefe.