For decades, federal managers have been hard at work building secure internal networks, adding security information and event management (SIEM) and vulnerability management systems, and installing new firewalls and intrusion prevention systems. Now those IT managers are faced with a new world, one filled with consumer-class devices that also need protection.
They’re faced with videoconferencing room systems and add-ons, cloud-managed switches and access points, security cameras, environmental sensors and controls, not to mention internet-connected soft drink dispensers, wall clocks and smart speakers.
Internet of Things products are in high demand from end users and agencies, but the standard toolbox IT managers have been using isn’t well adapted. Meanwhile, the IoT Cybersecurity Improvement Act of 2020 puts pressure on federal IT managers and supporting agencies — including the National Institute of Standards and Technology, the Office of Management and Budget and the Department of Homeland Security — to improve IoT cybersecurity. How can IT managers satisfy this demand without compromising network security?
There’s no shortage of frameworks and abstract advice. Directly applicable to federal IT managers, NIST has published several internal/interagency reports (NISTIR 8228, 8259, 8259A and 8259B) as well as special publications on IoT security requirements (SP 800-213 and 800-213A).
Focusing on Fundamentals Can Improve Your Security
While many federal IoT standards are aimed at device manufacturers and vendors, IT managers need to focus on three major tasks: protecting the device, protecting the data and protecting users’ privacy.
Depending on the agency, each of these responsibilities may be handled by different groups.
For example, device security will usually fall to network and security operations teams, while protecting user privacy and personally identifiable information may fall to legal, human resources and IT architecture groups.
Managing the security risks associated with these three tasks is straightforward, with two action items: First, know your device. Second, manage security gaps.
An excellent starting point is section 3.1 of NIST SP 800-213, titled “IoT Device Cybersecurity Guidance for the Federal Government: Establishing Requirements.”
It has about two dozen questions to determine why each IoT device is being added, what agency data will be collected and shared, and how the device fits within the agency’s technology environment.
Understanding What to Isolate Will Prevent Headaches Later
When it comes to protecting IoT from cyberattacks, IT managers can focus on the most critical question: “What are the physical, logical access, network and other requirements of the IoT device?”
IoT devices have many different access requirement models. Some are cloud-managed; others are handled internally. Some send data out; others require inbound connectivity. Some IoT devices interconnect on the local network; others bounce through a cloud-based service. Many have out-of-date or ambiguous documentation.
Fortunately for IT managers, there’s a simple strategy, no matter how this question is answered: extreme network isolation using VLANs and next-generation firewalls. Each type of IoT device should be isolated in its own firewalled network segment.
In fact, IoT devices should be given even more restrictive access controls than end users. While federal IT managers allow users generally unrestricted access to the internet with an “allow all” or “allow most” outbound security policy, inbound and outbound IoT devices should be completely blocked.
Once a device is installed, add the minimum set of tightly defined rules to allow traffic required for device operation. After installation, security and network operations teams need to continue to monitor firewall logs to watch for unexpected outbound traffic, which would indicate that the firewall or the device has been misconfigured.
Outbound and inbound traffic should also be monitored to ensure that the access control policy implemented is tightly defined and that there are no unused ports, protocols, addresses or access control rules.
Start with Standard Tools, Then Work Your Way Up
While some departments or subagencies may hope for a hands-off approach by IT teams, proper security management requires IoT devices to be treated like anything else connected to the network.
This means that IT teams must put into place asset management, vulnerability management, access control management and incident detection capabilities for IoT, just as they do for other devices. Similarly, agency data must be protected, both for personal privacy and for agency security.
Many types of IoT devices will present challenges in this area. For example, some IoT devices may not send logs to a central SIEM, if they generate visible logs at all.
These limitations mean that federal IT teams may be required to set up alternative systems for asset and vulnerability management and incident detection, or they need to ensure that the risk in going without these systems is fully accepted by agency leadership.
The consumerization of IT has created an incredible world of IoT devices, delivering amazing capabilities with very low capital costs.
Integrating IoT into agency networks and managing the risk it presents requires caution and an adherence to accepted basic principles of security management.