Internet of Things Security is a Marathon Not a Sprint, says DHS Cyber Expert


Adversaries that continuously improve their attacks push agencies to proactively defend.

As government works to securely connect legacy IT and physical infrastructure to the internet of things, one federal cybersecurity expert thinks long-term strategy should outweigh quick-fix solutions.

“The real challenge is not where you start from—the question is do you have an organizational and technical culture of continuous improvement,” said Scott Tousley, deputy director of the cybersecurity division in the Homeland Security Department’s science and technology office.

When securing their infrastructure, too many organizations “have a culture of ‘get it installed and I’m done,’” he added. “No—you get it installed, then you’re only starting.”

Online bad actors constantly update their attack strategies, making it critical for agencies to be just as persistent in bolstering their cyber defenses. Tousley advised federal cyber specialists to start small and constantly build on existing solutions while learning from previous mistakes, calling this approach “the secret sauce” to keeping systems secure.

Tousley joined cyber experts from government and industry on a panel hosted Tuesday by AFCEA. The group highlighted a number of cybersecurity threats agencies face as they rely more heavily on the internet of things and explored ways the government could mitigate those risks.

As more building controls, appliances and cars join the internet of things, people are starting to wake up to some of the negative side effects of connected tech.

Hackers famously made off with personal data on millions of Target customers by exploiting a loophole in one the company’s HVAC providers in 2014, co-opted thousands of IoT devices in the 2016 Mirai botnet that briefly shut down Netflix and the New York Times, and most recently stole data on a casino’s high-rollers by hacking into a fish tank.

“Any IP address is a vulnerability,” said Robert Hembrook, director of the cybersecurity division at the National Oceanic and Atmospheric Administration. “There’s a lot of information that’s flowing around. If you don’t secure that and the bad guys get ahold of it, they could get into your logistics and supply, and your mission.”

With 80 percent of cyber experts predicting a “catastrophic” data breach in the coming years, Hembrook stressed the need for government to change its strategy from locking down endpoints to a more holistic network security approach.

Other panelists placed the onus on a tech industry that releases low-quality devices into the marketplace. Still, they admitted companies have more to gain from pumping out products quickly than rigorously testing their cybersecurity, and some panelists proposed passing legislation to create baseline security standards.

In the meantime, agencies should know IoT devices are relatively easy to exploit and build their infrastructure accordingly, said Ernie Hampson, chief scientist at Jacobs National Security Solutions, who works frequently with federal agencies. He strongly encouraged segmenting networks so IoT devices have no connection whatsoever to systems containing sensitive information.

“We can’t treat these devices as trusted,” he said.