Audit of the Administration of the Internet of Things
September 5, 2018 · Administration of the Internet of Things · Read the full official report on mass.gov ↗
source
“The Commonwealth needs to take additional measures to ensure the effective and efficient adoption of Internet of Things technology.”
Read the plain-English breakdown
This is a 2018 State Auditor performance audit about how Massachusetts agencies were using and managing Internet-connected devices during the audit period.
“This report details the audit objectives, scope, methodology, findings, and recommendations for the audit period, July 1, 2016 through March 31, 2017.”
Auditors wanted to see whether the state technology office was properly supporting agencies that were starting to use Internet of Things devices.
“We assessed the services that the Executive Office of Technology Services and Security (EOTSS) provided to agencies that were adopting the IoT.”
Connected devices can help government work better, but each one can also create a new opening for cyberattacks if it is not managed well.
“Every device that is connected to an organization’s network increases the opportunities for it to be attacked by a hacker.”
For residents, this technology can affect everyday services like train arrival information, energy use in public buildings, air-quality monitoring, benefits access, and tolling.
“The MBTA uses global positioning system devices on trains to provide their locations and estimate their times of arrival at stations, which improves communication with riders.”
The audit’s bottom line was that Massachusetts had made some progress, but still needed better IT security policies, an incident response plan, and stronger review of projects that connect devices to the state network.
“Although the Commonwealth has taken, and continues to take, measures to improve its information technology (IT) operations and security, we identified areas where IT administration could be improved to ensure the effective and efficient adoption of Internet of Things (IoT) technology.”
The auditor recommended that EOTSS create IoT security guidance, finish a formal incident response plan, and require agencies to check with the state chief information officer for projects involving the state network.
“EOTSS should develop a documented information security incident response plan.”
The stakes are practical: without clear response plans and controls, the state may be less prepared to limit damage from cyberattacks involving connected devices.
“Without an incident response plan, the Commonwealth has inadequate assurance that it can effectively respond to and minimize the risk of cyberattacks when they happen.”
Internet of Things means ordinary equipment, sensors, phones, meters, vehicles, or other devices that connect over a network and send or receive data without a person manually moving that data each time.
“The Internet of Things (IoT) is the interconnection of devices via the Internet to allow the devices to collect and receive data over a network without requiring human-to-human or human-to-computer interaction.”
What the Auditor checked
- Did not comply Is there adequate administration of IoT use at various state agencies?
What the Auditor found
Why it matters: The Commonwealth could face security vulnerabilities affecting operations, safety, and privacy.
Standard: Section 4 of Executive Order 504 and NISTIR 8200 guidance on IoT cybersecurity standards. ( Section 4 of Executive Order 504; NISTIR 8200—Interagency Report on Status of International Cybersecurity Standardization for the Internet of Things (IoT) )
1 recommendation
- EOTSS should develop guidelines specifically for the IoT in its current EISP and incorporate them into its security policy.
Agency response & Auditor reply
Agency: "EOTSS recognizes the growing impact of IoT and anticipates the need for additional guidelines."
Auditor: "However, given the unique nature of connecting IoT devices to the Commonwealth’s network, the continued expansion of the use of IoT devices by state agencies, and the potential threats involved with the management of these devices, OSA believes that the Commonwealth’s EISP should provide specific guidance to state agencies regarding the IoT."
Why it matters: The Commonwealth lacked adequate assurance that it could effectively respond to and minimize cyberattack risk.
Standard: NIST Incident Response Plan best practices. ( NIST Incident Response Plan )
1 recommendation
- EOTSS should develop a documented information security incident response plan.
Agency response & Auditor reply
Agency: "The Commonwealth Incident Response Plan, which unifies the disparate incident response plans developed under E.O. 504, has been in draft form since February and builds on the policies and procedures described above."
Auditor: "However, in its response, EOTSS acknowledges that the Commonwealth Incident Response Plan has been in draft form since February."
Why it matters: There was inadequate assurance that devices were properly connected and increased risk of cyberattacks.
Standard: Section 11(a) of Executive Order 549. ( Section 11(a) of Executive Order 549 )
1 recommendation
- EOTSS should implement a policy to ensure that all state agencies considering undertaking any projects related to MAGNet contact the CCIO and learn whether the CCIO should be involved in supervising the projects.
Agency response & Auditor reply
Agency: "DCAMM acknowledges that the CCIO was not directly involved in the procurement for the Commonwealth Building Energy [Intelligence] (CBEI) program."
Auditor: "Based on its response, DCAMM is taking measures to address our concerns regarding working with EOTSS on its CBEI Program."