More Needs to be Done to Address IoT Security Vulnerabilities, GAO Says

The Internet of Things can deliver tremendous benefits to companies and agencies, but not enough is being done to confront the security vulnerabilities IoT devices present to federal and private networks, according to a Government Accountability Office report.

The GAO report, issued in May, is a technology assessment. While it does not contain specific recommendations for agencies, it confirms that there are gaps in how IoT security is being addressed and that there are no clear security standards. There is also no one specific agency in charge of IoT security.

Gartner forecasts that 8.4 billion connected things will be in use worldwide in 2017, up 31 percent from 2016, and that the figure will reach 20.4 billion by 2020. The GAO notes that IoT devices “are increasingly being used to communicate and process quantities and types of information that have never been captured before and respond automatically to improve industrial processes, public services, and the well-being of individual consumers.”

However, the report also says, “The IoT brings the risks inherent in potentially unsecured information technology systems into homes, factories, and communities. IoT devices, networks, or the cloud servers where they store data can be compromised in a cyberattack.”

IoT Security Challenges Abound

Increased adoption of IoT devices has increased information security challenges, the report says. Further, the lack of attention in designing IoT devices to be secure, and the predominant use of cloud computing to provide connectivity to connected devices, means there are “unique information security challenges that may limit broader adoption of the IoT,” the report says.

As IoT devices become more ubiquitous, a variety of security threats will multiply, the report says. “Unauthorized individuals and organizations may gain access to these devices and use them for potentially malicious purposes, including fraud or sabotage,” GAO notes. “As cyber threats grow increasingly sophisticated, the need to manage and bolster the cybersecurity of IoT products and services is also magnified.”

Malicious actors make use of numerous techniques or attacks against IoT devices in their attempts to compromise information or adversely affect devices, software, networks, an organization’s operations, an industry, or the internet itself, the report notes. These include distributed denial-of-service attacks, malware, passive wiretapping and using zero-day exploits (security vulnerabilities previously unknown to the general public).

“While there are many industry-specific standards and best practices that address information security, standards and best practices specific to IoT technologies are still in development or not widely adopted,” the report notes.

For example, last year the National Institute of Standards and Technology (NIST) issued “extensive information security guidance to federal agencies, including a catalog of security and privacy controls to be used to protect information and systems.”

Further, the Institute of Electrical and Electronics Engineers (IEEE) has developed information security standards that address specific areas such as encryption, storage and hard-copy devices.

NIST’s recommendations revolve around the need to make IoT devices more secure before they are built and keep them equally safe after they’re deployed.GAO says experts it spoke with echoed that recommendation.

“NIST recommends that organizations take steps to ensure that the security controls implemented on their systems are up to date,” GAO says. “This includes identifying and correcting information security flaws and installing software patches and other security updates in a timely manner, among other things. However, many IoT devices are designed without a software upgrade capability or with a cumbersome upgrade process, potentially leaving them vulnerable as cyber-attacks evolve.”

Cloud platforms enable IoT connectivity but also invite security challenges, GAO says. For example, agencies and companies are dependent on cloud providers to carry out key security functions, such as continuous monitoring and incident response. Cloud may also increase the risk that data may be accessed by an excessive amount of personnel for unauthorized purposes. And the complexity of cloud environments also poses increased risks.

“A cloud computing environment often includes many components, such as applications, virtual machines, data storage, and supporting middleware, all of which may be provided by different vendors,” the report says. “Security in a cloud computing environment depends on secure interactions among each of these components.”

The Federal Role in IoT Security

The report notes that there is no single federal agency “that has overall regulatory responsibility for the IoT.”

Different agencies oversee or regulate aspects of the IoT, such as certain devices or management of certain kinds of data. “However, some issues, such as privacy and security, are crosscutting, and sector-specific oversight efforts in these areas could overlap,” the report says.

Agencies may also compete with each other for regulatory authority over IoT devices in cases where a device spans sectors and falls into many agencies’ jurisdiction.

For example, the Federal Trade Commission (FTC) investigates false or misleading claims about IoT apps’ safety or performance, and the Justice Department addresses the law enforcement aspects, including cyberattacks, unlawful exfiltration of data from devices and/or networks, and the investigation and prosecution of other computer and intellectual property crimes.

Congress and agencies are still debating which agency should regulate IoT devices or data, the report notes.

GAO provided a draft of the report to 10 federal agencies, and while they did not provide written feedback, they did offer technical comments that were incorporated into the report. Agencies included the departments of Energy, Justice and Transportation, NIST and the National Telecommunications and Information Administration within the Commerce Department, the Department of Health and Human Services, the Department of Homeland Security, the Federal Communications Commission, the FTC, the National Science Foundation, and the Office of Science and Technology Policy.

To conduct the assessment, GAO reviewed key reports and scientific literature; convened two expert meetings with the assistance of the National Academies;  and interviewed officials from the FCC and FTC to obtain their views on specific implications of the IoT.

This content is made possible by FedTech. The editorial staff of Nextgov was not involved in its preparation.