Thanks to the promise of the Internet of Things (IoT) and the savings, efficiencies and insights connected devices can deliver governments, all eyes are on smart cities as of late. Many view IoT as the culmination of years of investments in high-speed networks, sensors and analytics that will help bring greater understanding, awareness and insight into all manner of behaviours, including buying, driving and eating habits.
Municipalities of all sizes around the world are embracing this digital transformation and have launched smart city initiatives to make service delivery more efficient, improve quality of life, develop new sources of revenue, protect the environment, and respond to a changing threat landscape.
Cities and towns are deploying a wide array of smart technologies, connected devices, in-vehicle solutions, cameras and sensors within their infrastructure and services to offer efficiencies for a variety of government services, including streets and roadways, first responders, power and water systems, garbage collection, snow removal and social services.
But alongside streamlining operations, IoT has maximized the cyberattack surface. Unlike traditional IT devices, such as PCs, IoT devices often do not have anti-malware programs built in. Instead, they often have default passwords, open hardware and software ports, no support for encryption and the inability to update firmware. These vulnerabilities in IoT devices are evidenced in recent attacks, such as the Toronto-area dental office whose security camera was being live-streamed on the internet.
While cities have been receiving most of the attention in regard to their efforts to take advantage of the IoT, looking at the provincial level is equally important. The potential IoT opportunity for cities is even larger for provinces, but government IT leaders should be wary of the increased security risks that going smart brings. So how can provinces stay safe? Here are three tips for provinces looking to secure IoT tech:
- Provinces Should Not Treat IoT Security as an Afterthought
You wouldn’t want to fall victim to chasing technology, often looking to security as an afterthought, which can lead to unforeseen vulnerabilities after provinces have already made IoT investments. Instead, government leaders and IT teams should treat network security as a foundational consideration from the inception of the planning process.
Moreover, a province’s IT department that hasn’t already prioritized modernizing its infrastructure and evaluating security solutions is even farther behind on IoT than it may realize. Similarly, those IT teams currently undertaking infrastructure and security initiatives should plan with future IoT initiatives in mind; failure to do so could quickly render newly adopted infrastructure and security solutions obsolete.
- provincial Security Leaders Should Seek Outside IoT Expertise
Many organizations prepare to implement IoT on their own, designing their own network architecture to support IoT. In fact, many prefer to manage their own IoT device security and are comfortable building their own in-house IoT solutions. While the initiative and innovation is admirable, it may be helpful to bring in outside IoT expertise to evaluate and mitigate potential risks to operations and, by extension, to internal business clients and customers.
Organizations that implement, house and manage IoT on their own will have their hands full when it comes to securing IoT deployments. If done incorrectly, they risk exposing their core networks to security threats, such as the recent Reaper and Mirai botnet attacks that infected 2 million IoT devices in one month, including internet-connected webcams, security cameras and digital video recorders (DVRs). IT departments are able to deploy anti-malware clients on their computers, but these solutions don’t yet exist for IoT devices.
One way to mitigate the risk associated with an IoT implementation is to use a combination of software-defined networking and software-defined perimeter technologies to reduce the attack surface. These approaches allow IT departments to leverage existing physical networks with overlay private networks that hide IoT devices from the outside world and isolate the devices from other enterprise resources.
- Separate PROVINCIAL Networks to Avoid Intrusion
Another approach that provinces can use is to create physically separate networks using 4G-LTE dedicated to IoT devices. With this approach, if a hacker is able to compromise the IoT devices, they are unable to conduct a “pivot attack” to other enterprise assets, since the physically separate IoT network is “air-gapped” from their secure enterprise network.
Instead of directing this network through the company’s data centre, for example, companies can direct the parallel networks to public or private clouds —limiting access to valuable information and reducing bandwidth bottlenecks. If hackers gained access to one of the parallel networks, they could not pivot to another network.
For example, IoT devices associated with a city’s traffic management system (or within public safety) can exist on a different network than the other critical networks in that city. With these separate networks in place, if people hacked the traffic management system, for example, they would be unable to pivot from that network to other critical public systems.
Provinces need to think carefully about which devices they connect to which networks. As we enter the smart province future, driven by holistic connectivity, we need to do so with our eyes open. Securing the smart provinces requires us to be pragmatic and to ensure we keep certain devices unconnected and others separate from mainstream networks.