"Our world is more connected than ever." This phrase can be interpreted in many ways, one being the growth of Internet of Things (IoT) devices. Traditional materials and devices, including bridges, streetlights, water processing machines, home refrigerators, and even our doorbells, are now connected to the internet and to users who need to track how they are functioning. However, this cyber connection also means that these devices are open for others to access and use in ways we never envisioned.
Cybersecurity practices must now extend to non-cyber products to ensure that operational technology does not compromise information technology or the networks that connect them. In fact, 1.5 billion attacks were launched against IoT devices in a single year.
Efforts to secure IoT devices must happen across all levels of users, from the federal government through state and local agencies to even citizen consumers.
Federal Agencies Struggle with IoT Security
A recent report from the Office of Management and Budget (OMB) found that federal agencies are not meeting mandates for having IoT security policies in place. The 2020 Internet of Things Cybersecurity Improvement Act aimed to apply the National Institute of Standards and Technology IoT cybersecurity guidelines to all IoT purchases in the federal government.
In researching compliance with this legislation, OMB found that "relatively few formal agency policies address the selection of cybersecurity requirements specifically for IoT devices." As a result of these findings, OMB directed agencies to provide an inventory of their IoT assets (specifically those with programmable controllers, sensors, integrated circuits, and other components that allow for data collection and transmission) to raise awareness of the scope of IoT use and the risks that they introduce.
Infrastructure Security Starts at the State and Local level
State and local agencies oversee much of the nation's critical infrastructure. Additionally, regulation for privately held infrastructure frequently rests at the state level. And of course, the impact of infrastructure being breached or damaged has the most direct impact on local communities. Unfortunately, state and local governments are typically greatly constrained in their ability to meet the complex security needs of IoT because they lack the budget and technical resources.
The federal government is stepping in to support the growth of cybersecurity skills for state and local agencies. The Cybersecurity and Infrastructure Security Agency (CISA) is conducting tabletop exercises that allow state and local teams to role-play simulated cybersecurity scenarios in preparation for real threats. Additionally, the 2022 Cyber Incident Reporting for Critical Infrastructure Act aims to improve information sharing around cyber threats as well as prevention tactics.
Consumers Take an Active Role in IoT Security
If the government is having trouble meeting standards, imagine the risks potentially being introduced by casual consumer use of IoT. In an effort to help people protect themselves and the wider networks to which they connect, the Federal Communications Commission (FCC) has created a voluntary cybersecurity labeling program for IoT devices. Similar to the Energy Star logo, this label will identify products that meet baseline cyber standards as defined by the National Institute of Standards and Technology. With this labeling, consumers will be able to make informed choices regarding the security level of the increasingly complex devices they are purchasing and using daily.
For more on how government is securing IoT, check out these resources.
- IoT Expo North America (June 5-6, 2024; Santa Clara, CA) - Delve into the latest IoT advancements in areas such as IoT, Smart Cities & Transport to Data, Analytics, and IoT Security. Explore how IoT, Smart Infrastructures, and Connectivity are having an impact on a range of industries, including manufacturing, transport, supply chain, government, legal and finance sectors, energy, retail, healthcare, and more.
- Protecting Critical Infrastructure Requires Robust Partnerships (June 6, 2024; webcast) - Many agencies are not aware that cyber-attacks can be launched against operations technology (OT), such as monitors and sensors, and used as entry points for attacking IT systems. The Cybersecurity and Infrastructure Security Agency Joint Cyber Defense Collaborative is acting to engage partners in improving the nation's cybersecurity posture, including strengthening the safety of OT systems.
- 2024 Cyber Summit (June 6, 2024; Arlington, VA) - In an era defined by the digital revolution, the impact of cyber is pervasive across the federal government, and its reach is continually expanding. This event features esteemed cyber experts, government leaders, and industry visionaries speaking on the dynamic and ever-evolving role of cyber in the public sector.
- A Zero Trust Approach to Securing Your IoT Devices (white paper) - Digital transformation is happening all around us, especially in the government space, in our cities and towns, at our state levels, and even at the federal level. Now, everything is so much more interconnected. With this transformation, it is important to consider how you are protecting your environment end-to-end.
- Why the United States and EU Should Seize the Moment to Cooperate on Cybersecurity Labeling for IoT Devices (white paper) - The United States and EU should align their respective approaches to cybersecurity labeling for IoT products--the U.S. Cyber Trust Mark and the EU's Cyber Resilience Act (CRA)--via technical standards and potentially a mutual recognition agreement (MRA). An aligned EU-U.S. approach would allow firms to only test once in order to comply with both systems. Cooperation on IoT cybersecurity labeling would avoid creating yet another regulatory point of conflict in the transatlantic trade and technology relationship.
- Three Key Technology Advancements Enabling Law Enforcement Modernization (white paper) - Much like every other aspect of our lives, law enforcement is now a digitally driven activity. Every crime has digital evidence, whether it's a suspect's cell phone, a witness's cell phone video, camera footage from a doorbell, a fitness tracker, or data from any number of IoT devices and sensors. This wealth of digital data is both an asset and a challenge for law enforcement.
To explore more details on the growing use of IoT, explore additional resources on GovEvents and GovWhitePapers.