IoT risk often ‘cannot be managed’ in Massachusetts state government, auditor finds
A Massachusetts state auditor’s report released this week is the latest validation for concerns voiced by technology officials about the security risks posed by a new class of connected devices, sometimes called the Internet of Things.
The report released by the Office of State Auditor Suzanne M. Bump on Wednesday examined the state agencies where IoT projects are being used, and revealed, according to 28 of 84 state agencies that responded to a survey, that while the technology is viewed as beneficial, its security has often become unmanageable.
Forty-six percent of responding agencies said they believe IoT risks “cannot be managed effectively and efficiently by current controls.”
The risks presented by insecure IoT devices include the spread of botnets and network vulnerabilities in general.
“As IoT technology becomes increasingly ubiquitous, state government has a choice: it can lead by proactively securing these devices and developing a comprehensive approach to ensure agencies are effectively protected when leveraging these tools, or it can react to challenges and threats when they are at an agency’s doorstep,” Bump said in a press statement.
Additionally, auditors found the state’s security policy does not offer any guidelines for state agencies with regard to IoT adoption, nor does the state have a formally documented information security incident response plan.
Further, one IoT project that connected to the Massachusetts Access to Government Network system, or MAGNet, was shown not to involve the state’s chief information officer, a position currently held by Dennis McDermitt .
The auditor’s office recommended that the state’s Executive Office of Technology Services and Security, or EOTSS, remediate these three issues by developing a information security incident response plan, create new security guidelines for IoT adoption that follow standards set by the federal National Institute of Standards and Technology (NIST), and implement a new policy requiring all state agencies to involve the state CIO when developing projects that connected to MAGNet.
A response from EOTSS during the audit period — which dates from July 1, 2016 to March 31, 2017 — shows that the state’s technology office is now in the process of conforming to the auditor’s recommendations.
