Breaking Down Silos and Combatting the IoT Threat

orafik over 5 years ago 3 minute read time

By Omar Rafik, SolarWinds Senior Manager, Federal Sales Engineering

Here’s an interesting article on the internet of things (IoT) and security threats. We’ve all been expecting IoT devices to be problematic and it’s good to see recognition that better controls are needed for the federal government.

The Department of Defense is hearing the IoT alarm bells.

Did you hear about the heat maps used by GPS-enabled fitness tracking applications, which the U.S. Department of Defense (DOD) warned showed the location of military bases, or the infamous Mirai Botnet attack of 2016? The former led to the banning of personal devices from classified areas in the Pentagon, as well as a ban on all devices that use geolocating services for deployed personnel. While the latter may not have specifically targeted government networks, it still served as an effective wakeup call that connected devices have the potential to create a large-scale security crisis.

Indeed, the federal government is evidently starting to hear the alarm bells, considering the creation of the IoT Cybersecurity Act of 2017. The act emphasizes the need for better controls over the procurement of connected devices and assurances that those devices are vulnerability free and easily patchable.

Physical and cultural silos

Technical, physical, and departmental silos could undermine the government’s IoT security efforts. The DOD is comprised of about 15,000 networks, many of which operate independently of each other. According to respondents cited in SolarWinds’ 2018 IT Trends Report, federal agencies are susceptible to inadequate organizational strategies and lack of appropriate training on new technologies.

Breaking the silos

Bringing technology, people, and policy together to protect against potential IoT threats is a tricky business, particularly given the complexity of DOD networks. But it is not impossible, as long as defense agencies adhere to a few key points.

Focus on the people

First, it is imperative that federal defense agencies prioritize the development of human-driven security policies.

Malicious and careless insiders are real threats to government networks—perhaps just as much, if not more so, than external bad actors. Policies regarding which devices are allowed on the network—and who is allowed to use them—should be established and clearly articulated to every employee.

Agencies must also try to ensure everyone understands how those devices can and cannot be used, and continually emphasize those policies. Implementing a form of user device tracking—mapping devices on the network directly back to their users and potentially detecting dangerous activity—can assist in this effort.

Gain a complete view of the entire network

DOD agencies should provide their IT teams with tools that allow them to gain a complete, holistic view of their entire networks. They must institute security and information event management to automatically track network and device logins across these networks and set up alerts for unauthorized devices.

Get everyone involved

It is incumbent upon everyone to be vigilant and involved in all aspects of security, and someone has to set this policy. That could be the chief information security officer or an authorizing official within the agency. People will still have their own unique roles and responsibilities, but just like travelers in the airport, all agency employees need to understand the threats and be on the lookout. If they see something, they need to say something.

Finally, remember that networks are evolutionary, not revolutionary. User education, from top management on down, must be as continuous and evolving as the actions taken by adversaries. People need to be regularly updated and taught about new policies, procedures, tools, and the steps they can take to be on the lookout for potential threats.

As the fitness tracking apps issue and the Mirai Botnet incident have shown, connected devices and applications have the potential to do some serious damage. While government legislation like the IoT Cybersecurity Act is a good and useful step forward, it’s ultimately up to agency information technology professionals to be the last line of defense against IoT security risks. The actions outlined here can help strengthen that line of defense and effectively protect DOD networks against external and internal threats.

Find the full article on SIGNAL.

The SolarWinds trademarks, service marks, and logos are the exclusive property of SolarWinds Worldwide, LLC or its affiliates. All other trademarks are the property of their respective owners.

Top Comments

rschroeder over 5 years ago +1

These are all great observations and ideas. I don't have much pity for those who procrastinate their implementation of better solutions, better team work, and better silo demolition. One small phrase…

fmasotti over 4 years ago

thanks for the article
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel
david.botfield over 5 years ago

Thanks for the article.
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel
ecklerwr1 over 5 years ago

Part of the problem is there will just be too many of these things... better have an SLX license o.O!
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel
tinmann0715 over 5 years ago

As typical with IOT, prudence and pragmatism to security is negated by OTS. Often times no thought is given to the security implications of connecting one's toaster to wifi… until it is hacked and set to never turn thus catching fire. There are a thousand personal IOT horror stories out there.
IOT security is driven by its need to catch up with the new technology. Too often security is behind.
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel
bobmarley over 5 years ago

Thanks for the write up.
In healthcare some IOT things you don't immediately think of such as don't play pokemon in a patient care area.... because if a patient ends up in a picture...then your violating a bunch of rules.
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel