Thanks to the promise of the Internet of Things and the savings, efficiencies and insights connected devices can deliver governments, all eyes are on smart cities as of late. Many view IoT as the culmination of years of investments in high-speed networks, sensors and analytics that will help bring greater understanding, awareness and insight into all manner of behaviors, including buying, driving and eating habits.
Municipalities of all sizes around the world are embracing this digital transformation and have launched smart city initiatives to make service delivery more efficient, improve quality of life, develop new sources of revenue, protect the environment, and respond to a changing threat landscape.
Cities and towns are deploying a wide array of smart technologies, connected devices, in-vehicle solutions, cameras and sensors within their infrastructure and services to offer efficiencies for a variety of government services, including streets and roadways, first responders, power and water systems, garbage collection, snow removal and social services.
But alongside streamlining operations, IoT has maximized the cyberattack surface. Unlike traditional IT devices, such as PCs, IoT devices often do not have anti-malware programs built in. Instead, they often have default passwords, open hardware and software ports, no support for encryption and the inability to update firmware. These vulnerabilities in IoT devices are evidenced in recent attacks, such as how hackers were able to take over various surveillance cameras in Washington D.C., just prior to last year’s presidential inauguration.
While cities have been receiving most of the attention in regard to their efforts to take advantage of the IoT, looking at the state level is equally important. The potential IoT opportunity for states is even larger for states, but government IT leaders should be wary of the increased security risks that going smart brings. So how can states stay safe? Here are three tips for states looking to secure IoT tech:
1. States Should Not Treat IoT Security as an Afterthought
Many states fall victim to chasing technology, often looking to security as an afterthought, which can lead to unforeseen vulnerabilities after states have already made IoT investments. Instead, government leaders and IT teams should treat network security as a foundational consideration from the inception of the planning process.
Moreover, a state’s IT department that hasn’t already prioritized modernizing its infrastructure and evaluating security solutions is even farther behind on IoT than it may realize. Similarly, those IT teams currently undertaking infrastructure and security initiatives should plan with future IoT initiatives in mind; failure to do so could quickly render newly adopted infrastructure and security solutions obsolete.
2. State Security Leaders Should Seek Outside IoT Expertise
Many state organizations prepare to implement IoT on their own, designing their own network architecture to support IoT. In fact, many prefer to manage their own IoT device security and are comfortable building their own in-house IoT solutions. While the initiative and innovation is admirable, it may be helpful to bring in outside IoT expertise to evaluate and mitigate potential risks to operations and, by extension, to internal business clients and customers.
Organizations that implement, house and manage IoT on their own will have their hands full when it comes to securing IoT deployments. If done incorrectly, they risk exposing their core networks to security threats, such as the recent Reaper and Mirai botnet attacks that infected 2 million IoT devices in one month, including internet-connected webcams, security cameras and digital video recorders (DVRs). IT departments are able to deploy anti-malware clients on their computers, but these solutions don’t yet exist for IoT devices.
One way to mitigate the risk associated with an IoT implementation is to use a combination of software-defined networking and software-defined perimeter technologies to reduce the attack surface. These approaches allow IT departments to leverage existing physical networks with overlay private networks that hide IoT devices from the outside world and isolate the devices from other enterprise resources.
3. Separate State Networks to Avoid Intrusion
Another approach that states can use is to create physically separate networks using 4G-LTE dedicated to IoT devices. With this approach, if a hacker is able to compromise the IoT devices, they are unable to conduct a “pivot attack” to other enterprise assets, since the physically separate IoT network is “air-gapped” from their secure enterprise network.
Instead of directing this network through the company’s data center for example, companies can direct the parallel networks to public or private clouds — limiting access to valuable information and reducing bandwidth bottlenecks. If hackers gained access to one of the parallel networks, they could not pivot to another network.
For example, IoT devices associated with a city’s traffic management system (or within public safety) can exist on a different network than the other critical networks in that city. With these separate networks in place, if people hacked the traffic management system, for example, they would be unable to pivot from that network to other critical public systems.
States need to think carefully about which devices they connect to which networks. As we enter the smart state future, driven by holistic connectivity, we need to do so with our eyes open. Securing the smart states requires us to be pragmatic and to ensure we keep certain devices unconnected and others separate from mainstream networks.