IoT Devices Put Federal Agencies a Risk, Securing Endpoints is Important

Endpoint security continues to be top of mind for organizations as employees continue to work from home and as government agencies adopt Internet of Things (IoT) technologies. For IoT technologies – from a connected refrigerator in an employee’s home, to a security camera scanning the perimeter of an agency facility, to a connected vehicle – endpoint security is vital. To explore this topic and learn how the government can better secure endpoints with IoT devices in mind, we spoke to Joe Hamblin, DoD Chief Technology Officer, Verizon.

Hamblin shared that many federal agencies have begun implementing Continuous Diagnostics and Mitigation (CDM) with a focus on endpoint security, but they need to go beyond compliance to connect or mirror CDM. Hamblin explained that IoT devices aren’t covered in these processes and leave a gaping vulnerability. “What needs to happen on the government side are rules and regulations on how to connect to IoT devices,” he shared. “Because IoT devices were not built with security in mind, any of them can become part of the attack surface if it is not properly secured,” he added.

The IoT problem for government is two-fold, Hamblin explained. “There are new IoT devices coming to market and being adopted all the time and, yet, there are no industry baseline security requirements for such devices.” The challenge with consumer-grade IoT devices is that they need to be easy to install for consumers. For example, video monitoring devices, smart thermostats, 3D printers, smart refrigerators could all make their way into an agency network – either from within the office or via a remote work connection. But because they’re familiar devices, there’s not much consideration given to their broader capabilities, or security credentials.

Hamblin suggests that certification is the best way to mitigate the most common security issues for IoT devices. “Just like all home electrical devices have UL certification for the safety of homeowners, a similar cyber security certification should be in place for IoT devices,” he added. “This will require the manufacturer of the device to ensure the security of IoT devices as opposed to putting the burden on the end user because most people don’t have the specialized skills that are needed.”

Another area of concern is that, because many of these IoT devices connect to a cloud-based system, it’s typical that the data can be accessed over the Internet. “Oftentimes there are issues with how robust authentication measures are,” shared Hamblin. “A simple username and password is no longer sufficient. While some manufacturers of IoT devices are moving to Two-Factor Authentication (2FA) most are not, and users often avoid enabling 2FA because it adds complexity to using the device. As long as users don’t understand the risks, they’re creating a virtual playground for hackers to gain access and control of devices.”

To remedy this, government agencies need to focus on cloud systems with network and mission control. “When a device enters the network there needs to be an interrogation to find out what it is and how it got there,” shared Hamblin. “As a security engineer, you want to know all the devices on your networks. Devices need to be meeting your rules or be sent to your quarantine networks.”

Although implementing a new security protocol may take time, Hamblin says agencies can still be proactive while they ramp up. “Agencies need to make sure they purchase the right devices that support secure connections – this means looking for devices with extra security measures and thinking about all the ways a bad actor can get in. HVAC systems, camera systems, and, yes, the printer are just some of the connected attack vectors agencies must manage today so you want to make sure you have a secure connection that is certificate based,” he explained.

“As IoT evolves, threat capabilities will evolve too. How can governments make sure these devices are sharing data without opening up threat vectors?” he concluded.

Find out here.