A Government Accountability Office (GAO) report says some federal agencies do not use Internet of Things (IoT) technology due to cybersecurity challenges and other concerns.
IoT generally refers to devices—from sensors in vehicles to building thermostats— that collect information, communicate it to a network, and may complete a task based on that information. Although IoT technologies may present an opportunity for the federal government to operate more efficiently and effectively, federal agencies may also face challenges in acquiring and using IoT.
Many federal agencies (56 of 90) responding to GAO’s survey reported using Internet of Things (IoT) technologies. Most often, agencies reported using IoT to: control or monitor equipment or systems (42 of 56); control access to devices or facilities (39 of 56); or track physical assets (28 of 56) such as fleet vehicles or agency property. Agencies also reported using IoT devices to perform tasks such as monitoring water quality, watching the nation’s borders, and controlling ships in waterway locks.
GAO found that IoT use by federal agencies may increase in the future, as many agencies reported planning to begin or expand the use of IoT. However, 13 agencies not using IoT technologies reported they did not plan to use the technologies for a range of reasons.
Agencies most frequently reported cybersecurity issues (43 of 74) and interoperability (30 of 74) as the most significant challenges to adopting IoT technologies. In one case, officials from the Transportation Security Administration (TSA) told GAO they could not ensure the security and privacy of passenger information and subsequently took its network-connected security equipment offline until they developed a solution. Specifically, TSA cancelled plans to connect its airport security equipment as a result of new requirements put in place following a breach of federal employee information maintained by the Office of Personnel Management (OPM). In 2010, TSA began to connect its airport security equipment to its broader network of traveler data. The goal was to allow analysis of traveler data and sensor data from the security systems. According to officials, TSA stepped back from this program and removed all equipment from the network following OPM’s breach because the security equipment and systems TSA was using could not meet the new cybersecurity requirements put in place in response to the breach.
In addition, when developing an IoT lab, NASA identified a series of challenges to IoT and reported that cybersecurity was the most significant of these challenges. In the IoT lab environment, NASA monitored IoT device activity to understand how, when, and with whom the devices and components were communicating and sharing data. According to NASA officials, they analyzed 50 devices and allowed NASA staff to bring in IoT devices, register the devices, and run a report to evaluate how the devices operated, communicated, and the amount of bandwidth. NASA determined, in part, that most IoT devices could not be trusted on NASA networks and cybersecurity was the biggest concern.
While agencies identified cybersecurity as a challenge, two of GAO’s case study agencies reported that they are taking steps to address this challenge. These agencies indicated they were either operating or testing IoT technologies on segregated networks to mitigate the cybersecurity challenges. According to Environmental Protection Agency (EPA) officials, they capture data in a cloud environment, external to EPA’s network, before introducing the data to the EPA network. Also, as part of its IoT lab, NASA’s Johnson Space Center created a separate network to handle the testing of IoT devices. NASA took this step to secure its network and allow testing of these devices in a way that does not compromise the network.
In terms of benefits to using IoT technologies, surveyed agencies most frequently reported increasing data collection (45 of 74), and increasing operational efficiency (43 of 74). For example, the EPA uses sensors to transmit data eliminating the need for employees to visit sites to collect data, and the Saint Lawrence Seaway Development Corporation reported that IoT technologies helped improve transit times through its locks.
Most agencies’ officials responding to GAO’s survey (54 of 72), as well as officials interviewed as part of the case studies, reported using information technology (IT) policies developed by their agency, versus internal IoT-specific policies, to manage IoT technologies. Some agencies reported their IT policies were sufficient for the current challenges and risks associated with adopting IoT technologies, including cybersecurity. The Office of Management and Budget’s officials stated they do not typically make policies for specific IT components but if needed would work with the National Institute of Standards and Technology (NIST) and others to develop such policies.
In 2018, NIST published an interagency report that addressed cybersecurity standards for IoT technologies. The purpose of the report was to facilitate communication and understanding among federal agencies about IoT cybersecurity challenges and solutions. In 2019, NIST issued a report that provided guidance to help agencies understand and manage specific cybersecurity and privacy risks associated with IoT devices throughout the devices’ lifecycles.
The Department of Homeland Security (DHS) has also issued two reports providing guidance on security for IoT. The first, issued in 2016, developed strategic principles for securing IoT technologies, including suggested practices to secure network-connected devices. These principles were designed to be used throughout the IoT supply chain, by IoT device developers, manufacturers, and consumers (including the federal government). Some of the practices DHS identified that incorporate these principles include, among other things, developing devices that do not come with standard or easy-to-crack passwords, coordinating software updates among IoT vendors, and authenticating all devices connected to the network. The second report, issued in 2020, provided guidance for security issues agencies should consider when acquiring IoT technologies. The guidance recommended improvements to the effectiveness of supply-chain, vendor, and technology evaluations prior to the purchase of IoT devices and services.
It is clear from GAO’s report that there are diverse views on whether there is a need for government-wide policies and guidance specific to IoT. Some agency officials believe existing IT policies and guidance are adequate for managing and acquiring IoT technologies and addressing the current challenges and associated risks, including cybersecurity – whereas others are still cautious to take up the technology.