What can you learn about IoT from the federal government?

The U.S. government has been an enthusiastic adopter of the internet of things over the last four years, with almost half of federal agencies already implementing some type of IoT product to help with their core mission, according to the U.S. General Accountability Office. However, concerns around privacy and security have stymied certain projects, even resulting in the Department of Homeland Security stepping back from connecting security equipment in airports.

The GAO surveyed 115 federal agencies (only 90 of them answered) and found that 56 of them were using IoT technologies in their operations. Most are using IoT for some type of equipment monitoring or asset tracking. Fifteen of the agencies are using IoT for surveillance, including the DHS. And the survey found that 21 of the 34 agencies that were not using IoT today plan to use it in the next five years, most likely for tracking physical assets or to control and monitor equipment.

The study showcases work by the Environmental Protection Agency (EPA) and the National Oceanic and Atmospheric Agency, both of which are using sensors to collect data in places that have heretofore been inaccessible or simply cost-prohibitive. It also highlighted work on license plate scanning technology and cameras being used at the border to speed up crossings.

But even as more agencies say they will adopt IoT technology, the issues faced by the feds are similar to those faced by corporate clients. The largest concern is security. For example, both NASA and the EPA said they are so concerned about security they segment their IoT devices onto a separate network.

The agencies are right to worry about security. Most respondents (75%) use their existing IT policies when buying IoT technology as opposed to those developed specifically for the IoT. This can backfire, because traditional IT security policies don’t always address all the elements of an IoT deployment, which can involve data going to and from devices and the cloud, as well as cloud security, physical security, and wireless network security. In some cases, agencies said their IoT devices had physical security such as hard-coded passwords, which means they shouldn’t deploy them on a secure network.

In other cases, security isn’t a concern, but privacy is. The Transportation Security Administration (TSA) halted its efforts to connect security equipment at the nation’s airports after a data breach at the Office of Personnel Management (OPM) caused the U.S. government to implement new policies around cybersecurity. In 2010, the TSA began to connect its airport security equipment to its network of traveler data. The agency wanted to analyze traveler and sensor data from the security systems, but after the OPM breach, stopped the program because the security equipment and systems the TSA was using could not meet the new cybersecurity requirements put in place in response to it.

In 2017, the TSA began the project again, this time with new equipment that met nine cybersecurity requirements before it could be connected to the TSA network. However, those nine requirements are not universal. Government agencies sometimes follow a directive from the Office of Management and Budget; other times, they develop their own policies. Some agencies appear to want an IoT directive from the National Institute of Standards and Technology (NIST) (here is a start) while others are happy to review and update their own policies.

It’s possible that the federal government will legislate some formal IoT procurement policies in the near term.  An IoT cybersecurity bill passed the House this week and now awaits a hearing in the Senate. The bill would require NIST to set a standard for devices that attach to federal IT networks, and would require the Department of Homeland Security to collect and manage vulnerability disclosures. One way or another, since most agencies buy their IoT technologies as opposed to building their own, any new NIST standards and their adoption by agencies would influence IoT security in the commercial markets as well.