Navigating the Crossroads: The Intersection of IoT and Infrastructure in a Security-First World

Cybersecurity, Internet of Things, IT Infrastructure, Market Intelligence

August 23, 2023

IoT and Its Impact on Infrastructure and Governance

The Internet of Things (IoT) revolutionizes how governments, organizations, and citizens interact with the physical world. This wave of interconnected devices promises a transformative infrastructure and governmental operations shift. However as the reach of IoT grows, the implications — especially related to security — become even more profound.

The fever for IoT adoption across local, state and federal governments signifies a vibrant marketplace. Governments globally are showing increased interest in IoT technologies to enhance efficiency, uplift security measures and enrich citizen services. In this arena, compliance isn't merely an administrative obligation. Vendors who resonate with federal security standards laid out by the National Institute of Standards and Technology (NIST) gain a competitive edge.

The increasing affinity towards IoT within government projects is very tangible. The IoT footprint is vast, whether that’s transportation systems equipped with real-time monitoring or healthcare tech leveraging IoT for remote patient supervision. The evolution of urban settings into smart cities, ensuring enhanced life quality, further underscores this trend. Vendors who stay alert to governmental needs and foster strategic alliances can seize serious opportunities here.

As the IoT horizon expands, security remains the focus. Vendors who can couple advanced security solutions with a grasp of governmental requisites for IoT find themselves in an excellent position for FY24.

Transformative Potential Vs. Security Risks

The realm of IoT, while promising, is full of security concerns. The 2021 incident at Oldsmar, Florida, serves as a bold reminder — malefactors aimed to manipulate the town's water supply by escalating the lye levels. Though averted, it underscores the catastrophic possibilities when IoT in critical infrastructure remains unprotected. Echoing these concerns, the U.S. Government Accounting Office (GAO) has continually spotlighted vulnerabilities within the nation's cybersecurity architecture. Despite consistent recommendations, a considerable implementation gap still needs to be addressed.

Initiatives like the Internet of Things Cybersecurity Improvement Act of 2020 underscore the commitment to bridge this gap. Mandating alignment with NIST's rigorous standards, the act encompasses diverse security realms, ensuring a fortified approach against potential breaches.

IoT's Expanding Terrain and the Cybersecurity Implications

The IoT wave mirrors the early days of the internet. While it provides unparalleled operational advantages, from cost-effectiveness to enhanced citizen services, it introduces many complexities —notably cybersecurity.

The GAO has consistently pointed out these shortcomings in the cybersecurity posture of government entities responsible for protecting critical U.S. infrastructure. The report underlines the slow pace of adopting the GAO's recommendations for protecting critical infrastructure. Roughly 50 out of 90 recommendations made in GAO's public reports since 2010 have yet to be implemented, leaving federal agencies potentially exposed to cybersecurity threats.

Against such security challenges, government institutions have started taking steps to secure IoT devices. All government departments are now operating under the mandate that any procurement or use of an IoT device must comply with standards developed by NIST under the IoT Cybersecurity Improvement Act of 2020. The IoT Act standards address key areas such as secure device identity, firmware updates, configuration management, physical and logical access controls, data protection and privacy and event logging.

IoT devices often favor usability over security, leading to devices being vulnerable to breaches. This vulnerability escalates as the number of interconnected devices mushrooms. A single compromised device can potentially jeopardize an entire network. Additionally, the diverse array of devices from varied manufacturers, each with unique software configurations, further complicates the creation of a standardized security protocol.

Balancing IoT Advancements with Infrastructure Security

As IoT devices and systems become more integrated into critical infrastructures like energy, health services, homeland security and transportation, securing these devices has become a national security challenge. This is especially true for departments like Energy and Health and Human Services, which have numerous connected devices within their ecosystems. Federal agencies can only fully protect critical infrastructure against potential threats when the GAO's recommendations are fully implemented.

One of these critical recommendations, explicitly aimed at IoT systems, involves establishing metrics to measure the effectiveness of efforts to enhance cybersecurity within a given sector's IoT environment. By tracking and measuring the impact of cybersecurity initiatives, agencies can better identify weaknesses and areas for improvement, thereby enhancing their overall cybersecurity posture.

The Office of Management and Budget (OMB) was tasked with creating a standardized process for federal agencies to waive the prohibition on procuring non-compliant IoT devices if specific criteria are met. This move is designed to balance the urgency of infrastructure needs with the absolute necessity of cybersecurity, all within a standardized framework across federal agencies. These waivers include instances of national security concerns when the non-compliant device is procured for research purposes, or when the device is secured through classified operations. By adhering to these IT requirements, government agencies can ensure that IoT devices used within critical infrastructure are checked and secure, protecting these systems from cyber threats and enhancing national security.

The OMB must be faster to establish this process, leading to inconsistent agency actions and potential vulnerabilities. The GAO called for the OMB to expedite establishing this standardized process in its report. Once this process is in place, it should facilitate a more secure and robust IoT infrastructure across all federal agencies. As the adoption of IoT continues to grow, it's important to balance potential benefits with the need to secure critical infrastructure. This requires a comprehensive approach that includes adherence to IT requirements, implementation of recommended security measures and ongoing efforts to improve and update security protocols in line with evolving threats.

Addressing the IoT Security Challenge

Handling these challenges demands a holistic approach. Embedding security within the design ethos of IoT devices is imperative. This involves finding alternatives to hardcoded credentials, ensuring consistent software updates and enabling users to personalize security settings.

Fostering a standardized security protocol enveloping the entire IoT ecosystem makes creating a fortified defense against cyber threats more feasible. Collaborative public-private partnerships, complemented by adherence to stringent IT standards, can facilitate the secure integration of IoT within our national infrastructure.

Collaboration between public and private entities is also crucial. Public-private sharing continues to be an ongoing challenge due to the varying levels of detail in threat information. This must be addressed to break down silos and share actionable intelligence to help both sides respond effectively to emerging threats and digest varying levels of end-user and geospatial data.

Private Sector's Role in Fortifying IoT

The private sector stands as a cornerstone of IoT's security narrative. Recognizing the significance of secure IoT devices for national infrastructure, agencies are also making considerable investments. Vendors, particularly those dealing with developing and manufacturing IoT devices, currently play an indispensable role in ensuring compliance with requisite standards. Regular vulnerability assessments, penetration tests and an emphasis on secure software development life cycle practices provide a resilient defense against potential cyber threats.

Compliance as a Competitive Advantage: Vendors can distinguish themselves in a crowded market by aligning products and services with governmental security standards such as those set by NIST. Governmental bodies prioritize security and compliance, and vendors that can demonstrate this commitment are well-positioned for success.
Participation in Government Initiatives: The ongoing governmental investment in infrastructure and security represents a lucrative market for IoT vendors. Projects spanning sectors such as transportation, healthcare, defense and urban planning are actively incorporating IoT technologies. Vendors and solution providers with expertise in these areas should actively monitor governmental RFPs and tenders, and consider partnering with other industry players to bid on large-scale projects.
Security Solutions as a Unique Selling Proposition: The industry can carve a niche in this growing market by offering state-of-the-art security features and demonstrating a robust understanding of governmental security concerns.
Educational Outreach and Collaboration: The industry should also consider engaging with government agencies through workshops, webinars and collaborations to identify needs, highlight solutions and build lasting partnerships. Open lines of communication can facilitate customized solutions that meet the unique requirements of governmental bodies.

Towards a Secure IoT Future

Federal agencies must embrace and diligently implement security guidelines from established authorities. Moreover, fostering open communication channels and actionable intelligence exchange can effectively combat security threats and break down silos.

With a unified, security-centric approach, stakeholders can ensure that the advantages of IoT can be harnessed without compromising critical infrastructure. The goal transcends adoption — it's all about providing a safe, secure and resilient digital ecosystem.

Federal agencies must adopt and thoroughly execute security recommendations from authorities like the GAO and industry subject matter experts in R&D. There is also a standardized process for handling non-compliant IoT devices and facilitating the exchange of actionable intelligence to address security threats efficiently.

By working collaboratively with federal entities and putting security at the forefront of everything, IT vendors can help ensure that the benefits of IoT can be enjoyed — without putting critical infrastructure at risk. The aim is not just to open the door to the benefits of IoT but to make sure it's a door that keeps unwanted visitors out.