Cyber experts: Network segmentation could help reduce risk posed by IoT devices

Public and private sector security observers want to see states carefully consider how connected devices could make their networks more vulnerable.

A panel of cybersecurity experts discusses challenges posed by the IoT at the National Association of State Technology Directors’ annual conference Wednesday (StateScoop).

Network segmentation is a prime security strategy for state agencies to consider as they start to manage devices connected to the Internet of Things, according to a panel of cybersecurity experts.

At the National Association of State Technology Directors’ annual conference Wednesday, public and private security leaders stressed the danger inherent in linking IoT devices to state networks, when many of those devices still aren’t designed with security as a prime concern.

“Systems talking to parts of the network they shouldn’t is probably the area of highest risk right now,” said Steven Hurst, director of security services and compliance for AT&T. “But ironically, it’s also one of the easiest ones to solve.”

Indeed, Renault Ross, chief cybersecurity business strategist for Symantec, suggested that he’s seen some companies and agencies he works with start to find ways to confront that problem. As IT leaders look to add connected tech to heating and cooling systems in buildings, for example, Ross has noticed some creative solutions to the security conundrum.

“I’ve seen some people putting their HVAC on a separate network so that the business network isn’t threatened,” Ross said.

Timothy Brown, executive director for security with Dell Software, agrees that it’s likely a question of “microsegmentation” and the creation of “managed gateways” to control how IoT devices work with the rest of the network.

“It’s more about the collection of data at the gateway,” Brown said. “If the temperature hasn’t changed, why does a smart thermostat need to send it elsewhere? You can set it to report back every hour if you need it. Those types of things exist today.”

[Read more: More IoT devices mean states must get smarter about management — panel]

Jim Edman — deputy commissioner for South Dakota’s Bureau of Information and Telecommunications — also noted that despite some “great advancements” in connecting medical devices to each other, he lamented that “there’s no security” dimension to many of them. Accordingly, Brown said states must think about how they link up those devices to government networks.

“Most MRIs run on Windows 95,” Brown said. “We know how trustworthy that it is.”

Because of this sort of need, Tim Kelleher, vice president of IT security services for CenturyLink, doesn’t think it will be long before the industry catches up to the demand.

“It’s about dynamic segmentation, and the industry will start to develop this sort of technology,” Kelleher said. “We’ll start to invent, like we always do, as the needs become evident.”

Hurst believes that one of the biggest problems the private sector will also have to confront is how to develop ways to let governments automatically patch the thousands (or even millions) of sensors they have out in the field, rather than constantly replacing them.

“The tools are available today, but that’s going to be an adjustment to trust the patcher, trust the system to automatically patch,” Hurst said.

Contact the reporter at alex.koma@statescoop.com, and follow him on Twitter @AlexKomaSNG.