GAO report identifies US DoD IoT security gaps

“Unconventional threats” is the area Joseph Kirschbaum focuses on in his role at the U.S. Government Accountability Office (GAO), the independent congressional watchdog. His group analyzes policy and spending analysis on areas like nuclear forces, combatting weapons of mass destruction, defense intelligence, homeland security, and – the Internet of Things.

“It cuts across everything,” the director of Defense Capabilities and Management for the GAO, who has been with the organization for more than two decades, said of IoT.

Not a day goes by without news of an emerging IoT-related threat — with most recent news detailing the vulnerabilities in more than 100,000 internet-connected security cameras that render them open to hacks. Research continues to demonstrate the lack of security in IoT device design and the risks of opening operational technology up to connections it was never designed for. And today, a Bill introduced in the Senate called for stricter security measures on devices purchased by federal agencies.

And a new report issued by the GAO assessing IoT device security policies and guidance at the U.S. Department of Defense (DoD) puts that risk squarely into perspective — even the DoD has gaps in securing IoT devices, according to the report. The GAO found that existing security policies and guidance do not address all security risks related to connected devices.

“Updates to DoD policies and guidance would likely enhance the safeguarding and securing of DoD information from IoT devices,” the reports states.

The 46-page report details threats to the DoD presented by increasing connectivity that many outside the public sector can relate to, as an organization that has been using automated sensors and controls for more than a century, and has been connecting them to computers for decades, is now “in the midst of enormous technological change.”

It also offers a glimpse into some DoD policies and guidance for IoT devices, including wearable devices, portable electronic devices, smartphones and infrastructure devices. For instance, for securing “infrastructure devices” (like smart electric meters) within industrial control systems, the DoD recommends that design at the device level includes the avoidance of wireless communications to the greatest extent possible; implementation of authentication between devices, if possible; and the avoidance of mobile code — that is, code that is downloaded and executed without explicit user action.

[IoT Security Summit, co-located with Blockchain360 and Cloud Security Summit, explores how industry-wide security, privacy and trust can be established to unlock the full potential of IoT. Get your ticket now.]

In addition to policies and guidance, the DoD has made other progress in addressing IoT security challenges, including identifying a number of IoT security risks and notional threat scenarios, examining security risks by conducting assessments on critical infrastructure, and establishing ongoing efforts like research programs to mitigate security risks.

Gaps, however, remain, according to the GAO report. Policies and guidance do not clearly address smart televisions or applications downloaded on DoD-issued devices. DoD policies and guidance on operations security, information security and physical security do not address IoT devices. And while it has developed guidance and detailed procedures for defending industrial control systems from cyberattacks,  the DoD doesn’t have a policy directing the implementation of these procedures.

Authors laid out risks inherent in everything from the manufacture of the devices themselves to the risks for operations security presented in geo-location capabilities. The report described a potential scenario in which connected devices provide gateways to sabotage a mission by shutting down communications from command-and-control computers. In that case, hackers could gain access through smart electric meters to shut down cooling systems, resulting in the need to shut down computers before they overheat.

In turn, bringing together the various stakeholders responsible for IoT security is challenging. Responsibility for securing IoT devices doesn’t sit with one entity or person, instead spanning various DoD organizations, from the CIO to the Undersecretary of Defense for Intelligence to the Principal Cyber Advisor to the Secretary of Defense, and more.

“One of the first questions we tend to ask is, Who’s in charge and who should be?” Kirschbaum said. “I’m not sure it’s appropriate to have one person in charge,” he said, pointing to the many realms IoT crosses and the importance of looking at security through those different departmental lenses.

The GAO recommended that the DoD conduct operations security surveys that could address IoT or operations security risks posed by IoT devices through other DOD risk assessments. It also recommended that the DoD review and assess its security policies and guidance affecting IoT devices and identify areas, if any, where new DoD policies may be needed or where guidance should be updated.

For its part, the DoD concurred with the recommendations and indicated that it will begin, or already has begun, work to that end.