The Urgent Case for IoT Security Training for Civilian Agencies

Nick Michaelides is the vice president of U.S. Federal for Cisco, and Gary Hall is the federal strategy leader at Cisco.

It’s no secret that the rise of the internet of things has complicated cybersecurity. The exponential increase in the number of connected devices over the last five years has led to a corresponding rise in the number of potential network vulnerabilities. Gartner estimates that 8.4 billion connected devices are in use this year, and that number will grow to 20.8 billion by 2020. Knowing the number of IoT devices is only going to grow, a bipartisan team of U.S. senators is introducing a bill called the Internet of Things Cybersecurity Improvement Act that will set better standards for IoT gadget security in government.

In the meantime, given this proliferation and the diversity of devices now connecting to government networks, agencies must change their approach to managing IoT security. For longevity and success, agencies must remove silos and ensure everyone in the ecosystem is both empowered by and accountable for network security. To do this, agencies should deploy a comprehensive IoT security solution capable of delivering comprehensive visibility, simplified processes, scalability and integration of IT and operational technology (OT) processes.

The Human Element of IoT Security

A key part of the success of a comprehensive IoT security solution is employee training. Automated security software is only part of the answer because first: relying solely on technology to protect against cyber threats could foster a false sense of security, and second: no security solution is complete without the human training to back it up.

The overwhelming majority of cyberattacks—IoT-enabled or not—stem from user error, such as failing to patch known vulnerabilities in legacy systems or violations of standard procedures. Because of this, agencies must provide comprehensive and periodic employee training that covers:

• How baseline security looks. Only when personnel understand what “normal” looks like can they then recognize anomalies that could indicate an IoT attack, and then test for false positives.
• Increased situational awareness that accelerates incident response. This requires training in how to properly identify people and devices, how to collect and interpret data from telemetry and logs, and how to use data from video surveillance.
• The basics of user security, including password variance, dual-factor authentication and proper file storage.

The key here is the training: The IoT-enabled attacks of the future will come in forms we have never seen before, attacks that leverage devices in new configurations. The strongest defense against new types of intrusions and threats will include a well-trained workforce that understands and follows basic security protocols, as well as highly trained security personnel that know how to identify, interpret and respond to anomalies in security analytics.

IoT Security Success for Civilian Agencies

Within government, civilian agencies can look at the U.S. military’s effective approach to cybersecurity for lessons that remain applicable for IoT security. The military’s first step? It established a unified architecture. In 2009, the Secretary of Defense created U.S. Cyber Command, consolidating more than 15,000 IT systems into a single unified architecture. That single architecture and unified command structure offered unparalleled visibility into its combined network, vastly increasing the ability for the Defense Department to detect anomalies, determine if they pose a threat, and respond appropriately.

However, the military also recognized the need to incorporate the human element of network security into its preparations in addition to technology upgrades. This cyber culture emphasized six core principles:  

• Integrity. Troops who make mistakes are encouraged to report them to superiors immediately, without fear of repercussion.
• Depth of knowledge. Troops are highly trained in their technology, enabling them to quickly recognize and remediate anomalies—no matter their rank.
• Procedural compliance. Procedures are taught and compliance is tested repeatedly through periodic inspections, tests and emergency simulations.
• Forceful back-up. In the Navy, even highly experienced sailors work in pairs. Civilian agencies could follow suit by encouraging those who see potential network anomalies to discuss it with a fellow worker immediately.
• Questioning attitude. Curiosity is fundamental to early detection of anomalies. A culture of curiosity goes a long way to minimizing damage.
• Formality in communication. Formality in communication, whether written or spoken, not only reduces the chance of being misunderstood but also establishes an appropriate and serious tone when discussing potential breaches.

Civilian agencies would do well to consider adopting similar values for their own frameworks for IoT-specific security.

The critical human element of cybersecurity depends on clear procedures, agencywide buy-in, and clear adherence to standard protocol. These changes should be happening now as IoT technology adoption will only increase in the coming years, as well the security complexity this changing landscape brings. To safeguard critical government data and preserve continuity of function, agencies must develop and deploy IoT-specific security solutions, protocols—and most especially—training.