TAKE A CLOSER LOOK AT ENCRYPTION
IoT devices tend to have limited processing power because they need to be inexpensive enough to deploy widely. So in addition to being unable to support encryption, many also aren’t manageable by the IT tools that enforce security policies for notebooks, smartphones and tablets.
“This could limit how much visibility you can get
to the device, its operation and the connections
it opens with the network,” says Vinay Anand, vice president of ClearPass Security at Aruba Networks, a Hewlett Packard Enterprise company. “Often times, the only option is to profile and track device behavior to look for deviations
or anomalous behavior, and complement this with inline inspection of all traffic communications to and from the device.”
Another potential challenge is the networks
that carry IoT data. For example, the additional overhead of end-to-end encryption might not seem like much on a per-device basis. But it can quickly add up in terms of bandwidth usage and costs when multiplied across tens or hundreds of thousands of IoT devices.
That concern is among the reasons why agencies need to consider whether all IoT data needs encryption.
“Many factors will need to be considered to answer this question,” says Bill Lemons, director of federal systems engineering at Juniper Networks. “Without additional context, does the data have any particular meaning? Does the data contain proprietary or sensitive information?”
24
is the ability to secure the endpoints, the applications and the data,” says Cisco’s Hall. “Otherwise, IoT won’t live up to its potential.”
Research shows that vulnerabilities abound. That’s partly because the IoT is relatively new, so agencies are still identifying the risks and appropriate responses.
“Many organizations take an approach of securing
the back end of the IoT infrastructure that is running
in the data center, but not the IoT device itself or the application that remotely manages the device,” says
Rob Roy, HPE public sector chief technology officer.
“For example, 80 percent of IoT devices failed to require passwords of sufficient complexity and length, and 70 percent did not encrypt communications to the Internet and local network, according to an HPE ‘Internet of Things Research Study.’ This creates gaps in protection and allows potential attackers to infiltrate and steal the data as it is in motion.”
Encryption might seem like an obvious way to secure IoT data, if only because that approach has proved effective with many non-IoT applications. But the IoT has nuances that can make encryption impractical.
“Encryption will be a challenge for many IoT devices, as they are usually very lightweight in terms of processing power,” says Bill Lemons, director of federal systems engineering at Juniper Networks. “There are emerging lightweight algorithms that can assist with this issue, but not all applications will require the encryption of all data.”
The good news: First, the feds aren’t the only ones grappling with these concerns, so they can leverage lightweight encryption solutions that vendors are developing for the enterprise market. Also, policies for non-IoT data can guide some decisions about what to secure and how to secure it.
“With regards to data at rest, the collected data should be treated in a similar manner to data types not sourced via IoT hardware,” Lemons says. “For instance, biometric information collected may need to be treated similarly
to digital health records of that individual. Each use
case will dictate the appropriate security posture for
its data at rest.”
The Postal Service’s smart cities application highlights another security consideration: Some IoT data will be shared between agencies or outside the federal government.
“When you share data, you want to make sure the other organization treats and preserves
the data according to your same standards,” Piscioneri says. “Finding the right balance between the level of sharing and the level of privacy
is definitely going to be a challenge.”