According to the original National Strategy for Homeland Security the definition of Homeland Security is:
Homeland security is a concerted national effort to prevent terrorist attacks within the United States, reduce America’s vulnerability to terrorism, and minimize the damage and recover from attacks that do occur.
While Homeland Security initiatives run the gamut from bioterrorism to national infrastructure, its clear cybersecurity is playing a bigger role in both attack as well as defense and remediation. On July 31, 2018 Secretary of Homeland Security Kirstjen Nielsen announced the creation of a center aimed at protecting financial institutions, utilities and other critical infrastructure against cyberattacks. IoT technologies are a large part of this growing threat.
The Prevalence of IoT
One of the biggest risks with IoT is its ubiquitous nature. This sort of technology has permeated our personal lives with devices like wearable fitness tools, smart televisions, voice-activated assistants, web cameras and more. These contrivances aren’t limited to home use. How many businesses and government agencies have these sorts of devices in place? In these large organizations, do purchasing processes account for procurement of IoT devices? What’s the likelihood that a new LCD TV for a conference room was not vetted or configured with Wi-FI disabled. What about Bluetooth-enabled wireless keyboards and mice? In larger buildings your property management company may be using controllers to administer and run various systems such as door access, HVAC and lighting – all of which utilize IoT technology.
"IoT is a great example of how cyber and physical security concerns are two sides of the same coin"
Sensor Capability versus Footprint Plus Payload
Many of these devices can innocuously collect data through sensors 24X7 or at predetermined times. In some instances, the IoT device can be programmed to turn on just long enough to collect and transmit data and then shut off, minimizing the window in which to detect the device. The nature of the data collected is dependent upon the sensor capability and/or where the IoT device is placed. If an IoT device is transmitting data via Bluetooth to other devices, security controls may not detect non-IP activity. Even if you have a newer wireless sensor that detects Wi- Fi, Bluetooth, and cellular RF, how many organizations are collecting this sort of data and actually looking at it?
As to the question about placement, IoT is a great example of how cyber and physical security concerns are two sides of the same coin. The physical aspect of IoT risk is directly correlated with where the device is placed. An unknown web camera pointed towards a row of trees may be innocuous, but an unauthorized web camera pointed toward an ingress point of a military facility is an entirely different matter. Conversely, an IoT device that is capable of sniffing Bluetooth traffic may have a very limited range to operate in. So, setting up a Bluetooth-enabled IoT device in a parking lot may have less ability to collect sensitive data versus one placed in the office of the CEO, capturing the keystrokes from her wireless keyboard.
Capacity to Monitor IoT
In the above example, we talk about how IoT devices can collect and transmit data through non-IP networks. This, coupled with the permeating nature of IoT devices, makes it a daunting challenge to stay abreast of the risk they bring. Even if you have the security controls in place to collect data about them, it is an entirely different matter to make sense of the data you are collecting. If it’s a sanctioned device, has firmware been upgraded? Is there a known vulnerability associated with it? How are you managing physical and digital access to the IoT device?
Let’s take the US electric grid - according to the Office of Electricity, the U.S. electric grid has “more than 9,200 electric generating units having more than 1 million megawatts of generating capacity connected to more than 600,000 miles of transmission lines.” Statista.com estimates there are over 3,300 electric utilities operating in the United States; it isn’t a stretch to assume each of these utilities have at least a few IoT devices deployed knowingly or unwittingly at each location. Between the lack of centralized management and the sheer footprint of these utilities, one can see the challenge in monitoring IoT.
It Works Both Ways
Up to this point we have been focused on the risk associated with IoT technology to Homeland Security initiatives. What about the potential benefit of leveraging IoT solutions to enhance our national security posture? Government agencies use IoT to help secure their respective enterprises. For example, fire departments are using drones to gain information about building fires, which gives them better intel and reduces risk to fire fighters.
IoT is here to stay – the question is will it be a net gain or a net loss in the effort to secure our nation.