Watchdog: Pentagon needs stronger guidance for IoT device security

A report from the Government Accountability Office has found that the Defense Department’s policies on Internet of Things devices aren’t sufficient enough to guard against potential security risks.

The July 27 report analyzed the agency’s guidance on IoT devices regarding cybersecurity, information security and physical security concerns, finding that they either didn’t address the devices — which include items like digital wearables and smart televisions — or failed to attribute security procedures for industrial control systems.

“According to the Director of National Intelligence, IoT devices are designed and fielded with minimal security requirements and testing, and an ever-increasing complexity of networks could lead to widespread vulnerabilities in civilian infrastructures and U.S. government systems,” the report says.

GAO officials found that while the agency has begun looking at the security risks posed by IoT devices, no one office oversees security policy for them. Rather, the policy is split between numerous offices, including the DOD chief information officer; the Office of the Assistant Secretary of Defense for Energy, Installations and Environment; the Office of the Under Secretary of Defense for Intelligence; the Defense Information Systems Agency and others.

The agency went as far as to identify a series of risk points in which an IoT device could be compromised — from malware installation during a device’s construction to lack of software patches that make it vulnerable to attack — and has developed mission assurance assessments to outline vulnerabilities from the devices.

While the DOD has policies for the IoT devices, those policies still have gaps where it concerns the potential of a compromised IoT device, such as a smart TV, the GAO noted.

“DoD officials told us that existing DoD policies and guidance do not clearly address security risks relating to smart televisions, and particularly smart televisions in unsecure areas,” the report says. “Officials from military services and other DoD components described smart televisions as a risk to operations security due, in part, to the ability of commercial providers to access the devices remotely—potentially eavesdropping on conversations or sending recordings of these conversations to third parties.”

Officials also acknowledged that the policies don’t address the sharing of data through apps added to DOD mobile devices, potentially allowing developers or hackers to capture data through unauthorized third-party apps.

The report also notes that the DOD’s core cybersecurity policies do not focus specifically on IoT devices, though the agency’s CIO does have policy recommendations centered on IoT security that could inform broader cybersecurity best practices.

The GAO did outline ongoing DOD efforts to address IoT security, including conducting an inventory of its industrial control systems, research and testing of device security by the Defense Advanced Research Projects Agency, and the formation of an IoT forum to examine the potential security risks of the devices.

The report offered three recommendations, including that:

• DOD begin conducting operation security surveys to identify potential risks from devices;
• Review cybersecurity policies and guidance for gaps concerning IoT devices; and
• Identify where additional guidance may be needed relating to IoT devices.

DOD officials concurred with the recommendations and said it was in the process of or had already begun applying them.