The U.S. federal government is proving increasingly vulnerable to cyberattacks, and seemingly every week we learn of more stolen federal employee identities, Russian election digital meddling and pentagon hacks.
These attacks can cripple the U.S. government if systems remain unsecure, according to the “2017 Internet Security Threat Report.” Desperate to secure government systems, the new “Internet of Things (IoT) Cybersecurity Improvement Act” legislation will require connected devices purchased by government agencies to be patchable, and would ban devices that are shipped with hard-coded passwords.
Could there be other solutions to this problem that have been overlooked?
Since IoT requires connectivity, it is this area in the solution stack which presents the most vulnerabilities. Connectivity comes in two basic flavors: wired and wireless. Wired is most common on the factory floor, often using proprietary industrial protocols, such as Profinet and Modbus. It is these systems which have never really been designed to be exposed to the internet, and it is these types of systems which Industry 4.0 promises to create huge advancements in productivity, predictive maintenance being one of the most popular discussion points today.
Due to the volume of devices to be connected in coming years, wireless IoT connectivity will be the most advantageous and where cybersecurity experts are most concerned.
With the industry promoting a raft of different IoT connectivity options, some are appropriate for federal government applications, whereas others are not.
For example, in a recent article, the Business of Federal Technology introduced the IoT Cybersecurity Improvement Act, which will require vendors of internet-connected devices purchased by the federal government ensure their devices are patchable, rely on industry standard protocols, do not use hard-coded passwords and do not contain any known security vulnerabilities.
For devices to be patchable, a worthy two-way communication link between a device and an IoT platform is required. Some wireless connectivity options aren’t developed for two-way communication, certainly not for updating firmware.
LTE (Cat-1M and NB IoT) and LoRa are the frontrunners in the emerging wireless connectivity area, the key word being “emerging.” Networks are being deployed, devices are on their way and bandwidth will be plentiful, however:
- The average price for a connected device subscription will be around $2.00
- New LTE/LPWAN hardware will be expensive in early years
If the federal government requires a few hundred million (or more) connected things, the bill is going to be high, the rollout slow and the security no better than most of today’s wireless connectivity options. The new cybersecurity bill points out that the Office of Management and Budget will develop alternative network-level security requirements for devices with limited data processing and software functionality. Considering this point, no real benefit will be derived from adopting emerging tech. If anything, it will slow things down as developing alternative network-level security requirements on new technologies — which aren’t yet ubiquitous — will take time.
One practical alternative is to use existing ubiquitous secure wireless protocols such as MQTT-SN over USSD. The USSD messaging protocol, baked into GSM networks requires no TCP-IP. If you remove the internet from IoT, the paradigm shifts completely and you guarantee the quality of service between device and IoT platform to create a very secure and reliable bidirectional communication protocol which is available not only across the U.S., but the world — today!
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.