One of the common jokes about the Internet of Things (IoT) is how your refrigerator might one day hack your house and run off with the contents of your bank account. While the scenario may seem absurd, it might also not be too far from the truth. As more and more devices connect to the Internet, innocuous endpoints – like refrigerators, washing machines, and televisions, are likely to be the gateways to valuable data opening the way for cyber attacks that we’ve only just begun to imagine.
Before you classify this as a consumer issue and feel a wave of relief that you don’t need to confront this issue in your work in IT for a federal agency, don’t exhale just yet. Even though government agencies aren’t going to have to deal directly with a rogue washing machine, there are plenty of other endpoints that are vulnerable – from the power grid to other machines in the field such as WiFi at remote bases for deployed troops – to attack. Or, consider what an unauthorized device, something as seemingly innocuous as an Internet-enabled watch, brought into a secure facility could ensue. With two critical changes happening at once – agencies facing both more data to sanitize and more devices to secure – the possibility of an unparalleled cyber attack- one that would make the OPM hack seem routine- is much more likely.
Given that most government agencies are struggling with their cyber security defenses already and that most have not yet put an IoT strategy in place, if agency IT leaders don’t start to incorporate IoT into cyber security plans and cyber security into IoT planning, then we could be in for a devastating attack on critical infrastructure or vital data repositories. In order to successfully implement this synchronous planning and awareness building, government IT leaders need to be prepared to become change agents. That is a leader who is ready to disrupt the way things have always been done to fulfill agency mission and get critical modernization tasks accomplished. The first disruptive action that should be recommended is to up-end the on-boarding process for new technology. The explicit authorization model that agencies use will likely be insufficient in the age of IoT; it consumes too much time, too much manpower, and these are two commodities that no government agency has enough of to begin with.
But how do you do this?
The answer appears to be counterintuitive. Rather than adding restrictions to devices that can access the network, the network needs to be opened up, but with better support systems in place. The key is to support a self-service model with continual, real-time monitoring – continuous insight – so that deviations from norms and protocols can be detected immediately and shut down immediately, so that risk can be minimized and attacks can be quashed.
Interested in learning more tips and best practices for Cyber Security? You can find them here…