In its Audit of the Administration of the Internet of Things, OSA surveyed 84 state agencies it believed were already using IoT devices “for significant purposes” and found large percentages of the 28 respondent agencies harbored reservations about the technology. Nearly three-quarters of the agencies that responded (68 percent) said they believed IoT had enabled them to “manage specific activities more efficiently,” but indicated adoption of the technology had been slow.
Nearly half of the responding agencies, or 43 percent, believed IoT is still in its infancy and “the risk of adopting IoT devices is greater than the benefits,” while 46 percent believed IoT risks “cannot be managed effectively or efficiently by current controls.” The finding on risk versus benefit “seemed like a clear call from those agencies that they needed some guidance and some help,” said OSA’s Director of Communications Michael Wessler.
The audit, which examined the period of July 1, 2016, through March 31, 2017, came out of Auditor Suzanne Bump’s prioritization of government modernization, Wessler said, and revealed “there’s clearly an appetite” for IoT adoption, albeit one that is being somewhat inhibited by the state of existing plans and regulations. “It is slowing adoption,” Wessler said, calling that “a missed opportunity.”
“They’re increasingly in our workplaces, and Auditor Bump wanted to make sure that on the grand scale, that we were examining these devices, providing some guidance for state agencies and kind of stimulating a response from the technology agency and the commonwealth government,” he added.
In a statement, Bump said state government faces a choice as IoT technology takes hold. It can lead by proactively securing devices and developing a comprehensive agency protection approach, or it can react. “As the commonwealth continues to take measures to improve its IT operations and security, the opportunities and threats presented by IoT devices must be a part of that strategy,” the auditor said.
Responding via email, the Executive Office of Technology Services and Security (EOTSS) said these types of moves are now underway.
In its three-part finding, OSA wrote that the state’s Enterprise Information Security Policy “does not offer” guidelines to state agencies on adopting IoT technology; and “lacks controls” to ensure minimum security for IoT, thereby increasing the chance of security vulnerabilities. Among its recommendations, OSA said EOTSS should develop IoT guidelines in its current Enterprise Information Security Policy, and recommended the agency refer to the National Institute of Standards and Technology’s (NIST) interagency report on international IoT cybersecurity standardization status for reference.
In response to this finding, EOTSS pointed out the agency has already created “comprehensive Enterprise IT Policies and Standards” that will be reviewed annually, and that while IoT devices do “represent a new threat vector that requires careful analysis,” many of the needed security controls are “already fundamental to network security.”
In an email to Government Technology, EOTSS pointed out Gov. Charlie Baker elevated the office to a cabinet-level position roughly a year ago; and since then, the agency has made “fundamental and significant security enhancements to the government’s IT infrastructure” including increased visibility into the network and devices touching it; and has “adopted enterprise standards” for how state agencies procure, implement, engage with and support “developing technologies such as IoT devices.”
OSA found the state also lacks a “formally documented information security incident response plan” establishing specific procedures EOTSS would follow, to respond to and resolve any incidents around IT hardware, software and data security and recommended such a plan be developed.
In its response to OSA, EOTSS said it does indeed have a draft Commonwealth Incident Response Plan, which “unifies the disparate incident response plans” and which it expects to publish during the first quarter of fiscal year 2019.
EOTSS told Government Technology that it has undertaken other measures including completing cybersecurity training for more than 20,000 executive branch employees that will become annual; has done seven “friendly hacking” attacks on critical systems to identify and fix vulnerabilities in a continuing process; and has “simplified and strengthened” executive branch IT networks to make them more reliable and introduced security monitoring.
In its last finding, OSA wrote that in a recent project connecting IoT devices to the Massachusetts Access to Government Network (MAGNet), the Division of Capital Asset Management and Maintenance (DCAMM) procured the contract without offering the state CIO a chance to participate. This resulted in “inadequate assurance” that devices were connected properly, and an increased risk of device exposure to cyberattack, according to OSA, which recommended EOTSS implement a policy ensuring state agencies conducting projects related to MAGNet contact the CIO and learn whether the office should be involved in supervising.
DCAMM responded to this OSA finding, indicating it hadn’t involved the CIO because it considered the project an energy group initiative, not IT — but said internal IT staff were consulted early in the procurement. It further indicated EOTSS and DCAMM staff have been in communication “for the past six months” regarding the program in question; and DCAMM will implement recommended practices including developing “clear communication of roles and responsibilities” for updates to enterprise security policies.
Wessler said OSA typically has a “greater than 90 percent” adoption rate of audited agencies following its recommendations. As for the office’s next steps, in about six months OSA will do what it does after every audit. It will send a survey to the audited agencies — in this case, leadership at EOTSS and DCAMM — to inquire about steps they have taken. The communications director said OSA is “heartened” by EOTSS’ responses, which seemed to indicate it thought this was a “helpful tool to guide their efforts in the future.” Wessler said the audit itself could also provide a lesson on IoT planning and oversight to other states.
“This audit obviously specifically looks at the commonwealth. But this technology is everywhere, so I suspect this is an issue that, if other states aren’t currently facing, they will in the very near future,” Wessler said.