The security of Internet of Things devices and systems is a concern at both the city and state level. IoT devices are increasingly being used in botnet attacks to take down computer networks. For the Commonwealth of Massachusetts, the threat is real and needs to be addressed.
Last month, Massachusetts State Auditor Suzanne Bump released a report that summarized how the state’s agencies currently use and think about IoT and the risks associated with it. While state agencies are using IoT and see its benefits, a plurality also voiced concerns that IoT risk cannot currently be effectively managed.
The report makes clear that Massachusetts must take steps to bolster its IoT security, including improving information security policies, standards and guidelines. The report also says the state needs to create an information security incident response plan and connect IoT devices to the Commonwealth network with the involvement of the Commonwealth’s CIO or a designee.
“As IoT technology becomes increasingly ubiquitous, state government has a choice: it can lead by proactively securing these devices and developing a comprehensive approach to ensure agencies are effectively protected when leveraging these tools, or it can react to challenges and threats when they are at an agency’s doorstep,” Bump said in a statement. “As the Commonwealth continues to take measures to improve its IT operations and security, the opportunities and threats presented by IoT devices must be a part of that strategy.”
Massachusetts Uses IoT in Smart Buildings, Hospitals and on Highways
To gain a better understanding of the current use of IoT devices by state agencies, the Office of the State Auditor conducted a survey of 84 state agencies, 28 of which responded.
The purpose of the survey, which examined the period of July 1, 2016, through March 31, 2017, was to determine the current and future plans for deploying IoT devices in the state, the types of IoT devices deployed, the ways IT devices are connected to networks, the ways IoT devices are used, and agencies’ perspectives on the benefits and risks of IoT technology.
Among other use cases, IoT is used in smart building management, in cameras and sensors at highway tolls, via GPS systems on Massachusetts Bay Transportation Authority trains and in patient-monitoring systems in hospitals.
Notably, the report found that while a 68 percent of respondents believe that the IoT has enabled their agencies to manage specific activities more efficiently, 43 percent believe that the IoT “is in its infancy and the risk of adopting IoT devices is greater than the benefits.” Further, 46 percent of respondents “believe that IoT risks cannot be managed effectively and efficiently by current controls.”
The finding on risk versus benefit “seemed like a clear call from those agencies that they needed some guidance and some help,” OSA’s Director of Communications Michael Wessler tells Government Technology.
How Massachusetts Can Enhance IoT Cybersecurity
To determine he risks associated with the state’s use of IoT, the state auditor’s office reviewed the applicable network security controls in the Massachusetts Access to Government Network system that were intended to safeguard against potential security vulnerabilities of IoT devices and related information system resources. The office also examined the problem management and patch management processes for IoT devices and related IT resources
The office also looked at the procurement and project management methodology for the Commonwealth Building Energy Intelligence Program and determined whether cybersecurity risks were properly mitigated. Additionally, the office reviewed the IoT vendor selection and vendor relationship management processes, as well as the availability of state data upon the termination of a relationship with a vendor.
According to the report, the state’s Enterprise Information Security Policy does not provide guidance to state agencies regarding the IoT. Specifically, “it lacks controls to ensure that a minimum level of security is provided throughout the Commonwealth for the IoT, as well as optional control recommendations based on industry best practices, like those of the National Institute of Standards and Technology.”
Without adequate administration through policies, standards and guidelines around IoT, the state “may be subject to security vulnerabilities that could affect its operations, safety, and privacy,” the report says. The report says the state CIO’s office should “establish detailed policies, procedures, and standards regarding the connection, use, and security of IoT devices.”
The state’s Executive Office of Technology Services and Security is in the process of developing new policies, procedures and standards, but says that many of the security controls required to mitigate and counter IoT-based attacks were already fundamental to the existing network security, access controls, and other well-established security areas.
The report says EOTSS does not have a documented incident response plan, and it needs one, since “such a plan would establish specific procedures EOTSS would follow to respond to and resolve any detected incidents affecting the security of the Commonwealth’s IT hardware, software, and data related to IoT devices.”
Without an incident response plan, the state “has inadequate assurance that it can effectively respond to and minimize the risk of cyberattacks when they happen.”
The report also found that the state’s Division of Capital Asset Management and Maintenance procured the contract for a project that involved connecting IoT devices to the MAGNet without involving the state CIO’s office. Since the CIO’s office was not given the opportunity to participate in the project, “there is inadequate assurance that the connected devices were properly connected, and there is an increased network security risk that IoT devices will be exposed to cyberattacks,” the report says.
EOTSS should implement a policy to ensure that all state agencies considering undertaking any projects related to MAGNet contact the state CIO’s office and learn whether it should be involved in supervising the projects, the report advises.