As more objects in the world are embedded with electronics that make them “smarter,” the Internet of Things grows. With that growth in connectivity comes more potential security threats. And this weakly-regulated, non-standardized segment of the technology market is creating new challenges for IT security professionals.
Point of sale systems, heating and air conditioning systems, alarm systems and traffic control systems are among the new members of the Internet of Things that government must consider. What were once strictly thought of as industrial control systems are now creeping into the domain of IT as those devices gain Wi-Fi or Bluetooth connectivity.
And increasingly, these devices are a chink in any given organization’s armor, said Jerry Irvine, CIO of Prescient Solutions, a Chicago-based IT outsourcer, adding that these devices are everywhere now, and one of the solutions to the security problem is to develop strong standards for them.
When Wi-Fi was first introduced, minimal standards existed, but out of the technology’s popularity was born a need for stronger security standards and oversight. First there was WEP encryption, which was eventually found to be easily hackable. WPA was then instituted, followed by WPA2, which is used today, and will eventually be replaced with something more complex.
“The same thing needs to happen [for the Internet of Things],” Irvine said. “There needs to be intelligent organizations that define how these things are going to be communicated to. If at all possible, there needs to be an ability of creating separate protocols to manage these solutions that are not routable across the Internet.”
By sectioning off Internet of Things devices into their own protocols, Irvine suggested, hacker inroads to the private data housed on an organization’s network can be minimized. Just allowing those devices free reign connectivity as if they were any regular computer creates too many security holes, he said, and the problem stems from the fact that these devices are entrenched in a history of old embedded systems -- systems that were developed for enterprise or government before today’s Wi-Fi, increased connectivity, and modern protocols.
Like this story? If so, subscribe to Government Technology's daily newsletter
Creating institutional solutions involving protocols and governance is important, Irvine said, because even if there are good security practices available, most users won’t use them, a fact demonstrated by the large number of people in any given organization who don’t encrypt the data on their mobile devices or even bother to set a password.
In a commercial or government office, the number of threats is growing. Wireless printers can be impregnated with viruses or used as a proxy device, he said, noting that printers are just the start as industrial control systems creep into the IT world.
The answer for IT organizations is that nothing can be protected 100 percent, Irvine said, which is why security needs to happen in layers. Firewalls, anti-virus, creating network segments for non-smart devices, proactive policies, reactive policies, and education all need to happen together to minimize risk. “If you do the right things, if you configure it in a best-practice method, you’re going to limit more than what you’re going to allow in,” he said.
Jonathan Trull, Chief Information Security Officer for the Colorado Governor’s Office of Information Technology, said he’s noticed a strong shift toward not just increased mobile devices, but toward the Internet of Things as well -- and the state's big strategy is to make security as visible and easy for the user as possible while still protecting the data, he said.
“Separate networks for people who want to access things with their BYOD mobile devices -- we try to segment them from our trusted systems. We put in technical controls around what data can leave,” he said, adding that strong policies and training are also important.
Dealing with the Internet of Things is not an active problem the state has, Trull said, but it’s definitely a growing concern. “I think we’re just at the very tip of having to deal with that,” he added. “For the next five years, it’s going to become a much greater concern.”
Staying on top of the growing number of devices connected to networks over the coming years will be a matter of monitoring the security world and seeing what kinds of devices hackers out there are targeting, he says, but the IT security mindset must also be adjusted.
“I think part of it is going to be redefining what we consider to be a computer system,” he said. “Our security program has been built around the traditional idea a computer system is your desktop, it’s your Web application, but if you have an HVAC system that cools the state capitol and it’s controlled remotely by a telecommunication, I don’t know that we’ve always thought of that as an IT system and brought that into our governance model.”
But that day could come soon, he said, and they’re going to keep watching for it.