Securing a Tide of the Internet of Things
IoT has the potential to offer state and local municipalities real and tangible benefits for their citizens. The IoT is already powering smart city efforts throughout the country, through things like smart grids, automatic flood detection, and more. The city of Chicago alone has an initiative called the “Array of Things”—a massive open data effort reliant on sensors to turn Chicago into “the most data-driven government in the world,” according to former Mayor Rahm Emanuel.
Millions of small devices use agency networks to communicate and share information. We’ve moved beyond the quaint “bring your own device” trend into a world where government workers are using an endless sea of technologies, from smartwatches to smart speakers, all of which are difficult to track and secure.
Containment Is Key
Any approach to dealing with the IoT must first start with recognizing it can’t be “managed” traditionally. There are now 7 billion IoT devices in circulation according to research from IoT Analytics. Those devices come in different forms and run on various (mostly proprietary) operating systems.
NIST recently published NISTIR 8228, which provides guidelines on how best to manage cybersecurity and privacy risks related to the IoT. The publication advocates focusing on protecting device security, data security, and individuals’ privacy without objecting to the use of IoT devices in public agencies. The same principles and challenges clearly apply to the state and local government sector.
Visibility Is Critical
Many IT managers simply do not have visibility into all—or even probably most—of the IoT devices used daily on their networks. As such, IoT can be a particularly insidious form of shadow IT that can significantly broaden an agency’s attack surface.
IT professionals need to gain a precise understanding of device behavior to ensure connected devices aren’t acting in a suspicious or potentially malicious manner. For example, is the connected printer doing what it’s supposed to be doing? Or is it exhibiting signs of being an information-sharing node?
Action Is Necessary
Once a device is flagged, IT administrators will want to automatically kill any applications running on the device. Securing the IoT is about application awareness more than anything else. Administrators must gain a solid understanding of how apps are transmitting information to better protect their networks and data.
State and local IT professionals should consider developing whitelists for the devices allowed on their networks. Then, assert further control by tracking and blocking rogue devices. Allowed devices should be consistently patched and updated to help ensure they’re better protected.
Secure—Not Stem—the Tide
For most agencies, it’s too late to turn back—and really, do we want to? As much of a challenge the IoT poses, use of connected devices propagates greater efficiency and employee satisfaction. Perhaps the best state and local IT professionals can do is to secure the tide—rather than stem it—by expanding their perspectives and processes when it comes to fortifying IoT devices.
Find the full article on American City and County.