Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Audit of the Administration of the Internet of Things

September 5, 2018 · Administration of the Internet of Things · Read the full official report on mass.gov ↗

Published September 5, 2018 Audit covers July 1, 2016 – March 31, 2017 Under Suzanne M. Bump · 2011–2023

In plain English
Massachusetts was using connected devices in government, but the audit found the state needed stronger rules, planning, and oversight to manage them safely.
source
“The Commonwealth needs to take additional measures to ensure the effective and efficient adoption of Internet of Things technology.”
Read the plain-English breakdown
What is this?

This is a 2018 State Auditor performance audit about how Massachusetts agencies were using and managing Internet-connected devices during the audit period.

“This report details the audit objectives, scope, methodology, findings, and recommendations for the audit period, July 1, 2016 through March 31, 2017.”
Why was it audited?

Auditors wanted to see whether the state technology office was properly supporting agencies that were starting to use Internet of Things devices.

“We assessed the services that the Executive Office of Technology Services and Security (EOTSS) provided to agencies that were adopting the IoT.”
Why it matters

Connected devices can help government work better, but each one can also create a new opening for cyberattacks if it is not managed well.

“Every device that is connected to an organization’s network increases the opportunities for it to be attacked by a hacker.”
What's in it for me?

For residents, this technology can affect everyday services like train arrival information, energy use in public buildings, air-quality monitoring, benefits access, and tolling.

“The MBTA uses global positioning system devices on trains to provide their locations and estimate their times of arrival at stations, which improves communication with riders.”
The bottom line

The audit’s bottom line was that Massachusetts had made some progress, but still needed better IT security policies, an incident response plan, and stronger review of projects that connect devices to the state network.

“Although the Commonwealth has taken, and continues to take, measures to improve its information technology (IT) operations and security, we identified areas where IT administration could be improved to ensure the effective and efficient adoption of Internet of Things (IoT) technology.”
What happens next

The auditor recommended that EOTSS create IoT security guidance, finish a formal incident response plan, and require agencies to check with the state chief information officer for projects involving the state network.

“EOTSS should develop a documented information security incident response plan.”
Why it's significant

The stakes are practical: without clear response plans and controls, the state may be less prepared to limit damage from cyberattacks involving connected devices.

“Without an incident response plan, the Commonwealth has inadequate assurance that it can effectively respond to and minimize the risk of cyberattacks when they happen.”
Jargon, unpacked

Internet of Things means ordinary equipment, sensors, phones, meters, vehicles, or other devices that connect over a network and send or receive data without a person manually moving that data each time.

“The Internet of Things (IoT) is the interconnection of devices via the Internet to allow the devices to collect and receive data over a network without requiring human-to-human or human-to-computer interaction.”

What the Auditor checked

What the Auditor found

The Enterprise Information Security Policy lacked guidance for agencies adopting Internet of Things technology.
cybersecurityinternal controls

Why it matters: The Commonwealth could face security vulnerabilities affecting operations, safety, and privacy.

Standard: Section 4 of Executive Order 504 and NISTIR 8200 guidance on IoT cybersecurity standards. ( Section 4 of Executive Order 504; NISTIR 8200—Interagency Report on Status of International Cybersecurity Standardization for the Internet of Things (IoT) )

1 recommendation
  • EOTSS should develop guidelines specifically for the IoT in its current EISP and incorporate them into its security policy.
Agency response & Auditor reply
Agency: "EOTSS recognizes the growing impact of IoT and anticipates the need for additional guidelines."
Auditor: "However, given the unique nature of connecting IoT devices to the Commonwealth’s network, the continued expansion of the use of IoT devices by state agencies, and the potential threats involved with the management of these devices, OSA believes that the Commonwealth’s EISP should provide specific guidance to state agencies regarding the IoT."
The Commonwealth did not have a formally documented information security incident response plan.
cybersecurityinternal controlsrecordkeeping/documentation

Why it matters: The Commonwealth lacked adequate assurance that it could effectively respond to and minimize cyberattack risk.

Standard: NIST Incident Response Plan best practices. ( NIST Incident Response Plan )

1 recommendation
  • EOTSS should develop a documented information security incident response plan.
Agency response & Auditor reply
Agency: "The Commonwealth Incident Response Plan, which unifies the disparate incident response plans developed under E.O. 504, has been in draft form since February and builds on the policies and procedures described above."
Auditor: "However, in its response, EOTSS acknowledges that the Commonwealth Incident Response Plan has been in draft form since February."
DCAMM connected Internet of Things devices to MAGNet without involving the Commonwealth’s chief information officer.
cybersecurityprocurement/contractsinternal controls

Why it matters: There was inadequate assurance that devices were properly connected and increased risk of cyberattacks.

Standard: Section 11(a) of Executive Order 549. ( Section 11(a) of Executive Order 549 )

1 recommendation
  • EOTSS should implement a policy to ensure that all state agencies considering undertaking any projects related to MAGNet contact the CCIO and learn whether the CCIO should be involved in supervising the projects.
Agency response & Auditor reply
Agency: "DCAMM acknowledges that the CCIO was not directly involved in the procurement for the Commonwealth Building Energy [Intelligence] (CBEI) program."
Auditor: "Based on its response, DCAMM is taking measures to address our concerns regarding working with EOTSS on its CBEI Program."