With so many high-profile hacks this year, it's easy to want to throw up your hands and say, "Is there nothing that can be trusted?!" Interestingly, that lament is what is driving the latest approach to cybersecurity -- zero trust. Zero trust is what it sounds like, a security approach centered on the belief that organizations should not automatically trust anything accessing their systems either inside or outside their perimeters. Instead, all people and devices must be verified before access is granted. To the untrained eye, this seems untenable. How, in this day and age, when we depend on digital information and connection to do most anything, can we use a process where we have to constantly verify identity and access permissions? Luckily, the practice of zero trust is more sophisticated than its premise.
The use of Internet of Things (IoT) to manage infrastructure and services is not a new concept, but response to the new normal of pandemic life, natural disasters, and the implementation of 5G networks all could accelerate the implementation of IoT solutions.
Stay-at-home orders, social distancing measures, and backlogged inspection schedules all combine to make a great case for implementing sensors and other IoT devices as part of infrastructure management. With technology providing data on the status of equipment, facilities, and general infrastructure like roads and bridges, the need to deploy inspectors to the field can be minimized. In the short term, this reduces potential points of exposure for inspectors and field staff. Longer term, it adds a new "colleague" to field management teams. IoT can handle routine, low risk monitoring, freeing up humans to focus on more complex or higher priority tasks and activities.
This spring, the concept of supply chains became a household discussion as families searched high and low for household staples like toilet paper, flour, and hand soap. However, supply chain for government is more complex than the supply and demand driven model for consumer goods. Government supply chains involve monitoring for security and foreign involvement. This means knowing where all parts of a solution were manufactured, programmed, and assembled.
Gregory C. Wilshusen, director of information security issues at the U.S. Government Accountability Office, noted that "supply chains can be long, complex, and globally distributed and can consist of multiple outsourcing tiers. As a result, agencies may have little visibility into, understanding of, or control over how the technology that they acquire is developed, integrated, and deployed."
This lack of visibility is due in part to incomplete vendor reporting. Not only do vendors have to manage all the pieces of their solution, but they themselves may be managed by multiple organizations in an agency. Reporting happens through numerous tools and is siloed, making it difficult to get a full picture of the chain that led to the delivery of a solution to a government agency.
From military missions to public safety applications to infrastructure inspections, drones have many applications across government. While the technology is ready for all of these applications (and more), there are complex regulatory and legal issues that are holding up their widespread use. These issues include airspace regulations (for the safety of manned and unmanned flights), privacy concerns (related to on-board cameras), and cybersecurity concerns.
While these issues are being discussed in the courts and across regulatory bodies, state and federal level agencies are taking steps to integrate drone usage into their processes. For federal agencies, drones are available on the GSA Schedule. State and local organizations are piloting a drone-as-a-service model that allows groups to use drones for specific-use cases without having to invest in the purchase and maintenance of the hardware.
There are a number of upcoming events that address both the technology and the policies that impact current and future drone usage. Continue reading →
It is called the Internet of Things (IoT) - plural - for a reason. IoT encompasses everything from traditional IT devices like laptops and phones to next-generation technologies like virtual assistants (Alexa, Google Home) to previously unconnected technologies like TVs to everyday utilities like HVAC systems and even refrigerators. With this wide range of things, agencies are finding it difficult to catalog every IoT device, making the creation of policies and processes even more challenging.
Shadow IoT--connected devices that aren't managed or monitored by an organization's IT resources--is a real concern for IT teams. In one study, 90% of organizations found IoT devices they were not aware of using their network. These devices can include fitness trackers, digital assistants, and smart televisions. Once these devices are identified, huge security challenges still remain as many of them were not designed with security in mind. There is also such a wide range of devices and manufacturers that policies cannot be applied consistently across all of the different products and systems.
Even known IoT devices can provide security challenges and concerns. Historically, systems running building automation - lights, elevators, sprinkler systems, HVAC - were separate from the IT systems. Today, these Industrial Internet of Things (IIoT) regularly connect to external networks and introduce risk back into the agency networks. As a workaround, a survey of IoT leaders found that 45% of respondents said they were deploying IoT devices on a dedicated network. Continue reading →