It is called the Internet of Things (IoT) - plural - for a reason. IoT encompasses everything from traditional IT devices like laptops and phones to next-generation technologies like virtual assistants (Alexa, Google Home) to previously unconnected technologies like TVs to everyday utilities like HVAC systems and even refrigerators. With this wide range of things, agencies are finding it difficult to catalog every IoT device, making the creation of policies and processes even more challenging.
Shadow IoT--connected devices that aren't managed or monitored by an organization's IT resources--is a real concern for IT teams. In one study, 90% of organizations found IoT devices they were not aware of using their network. These devices can include fitness trackers, digital assistants, and smart televisions. Once these devices are identified, huge security challenges still remain as many of them were not designed with security in mind. There is also such a wide range of devices and manufacturers that policies cannot be applied consistently across all of the different products and systems.
Even known IoT devices can provide security challenges and concerns. Historically, systems running building automation - lights, elevators, sprinkler systems, HVAC - were separate from the IT systems. Today, these Industrial Internet of Things (IIoT) regularly connect to external networks and introduce risk back into the agency networks. As a workaround, a survey of IoT leaders found that 45% of respondents said they were deploying IoT devices on a dedicated network. Continue reading
The Internet of Things (IoT) is made up of webcams, sensors, thermostats, microphones, speakers, cars, and even stuffed animals. All of these connected devices can help individuals and organizations stay connected across geographic distances, keeping tabs on and managing assets from miles away. The data they collect can be combined with other data sets to create actionable advice for better management and service.
This holds incredible promise for local governments and federal agencies charged with maintaining safe operating fleets and facilities. There's also the application for improving the routing of field technicians as well as traffic flow in general. But, as every superhero knows, with great power comes great responsibility.
As with any technology, IoT standards need to be developed for effective and safe use as well as to enable interoperability. NIST has been working on defining standards and recently released Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks, but no federal agency is currently claiming jurisdiction over IoT policy and rule-making. In this vacuum, the legislative branch is getting involved. This past November, the House passed the SMART IoT Act that tasks the Department of Commerce with studying the current U.S. IoT industry. A Senate bill was introduced to manage what types of IoT devices the government can purchase, ensuring that all IoT tech in government is patchable and has changeable passwords. Finally, states are even weighing in on the proper use of IoT in government. California passed the first IoT cybersecurity law, making device manufacturers ensure their devices have "reasonable" security features. Continue reading