Federal and private sector leaders described how Internet of Things (IoT) devices present opportunities for the Federal government, but also present the need for regulation during a panel at the Internet of Things Global Summit on Thursday.
“We have to be aware of the threats and vulnerabilities, but we also have to recognize that IoT brings with it a fantastic opportunity, not just for industry but for government,” said Robert Metzger, head of the Washington D.C. office of the law firm Rogers Joseph O’Donnell. “There’s almost no part of government at any level where one could not postulate an attractive use case where government would benefit from IoT technology.”
Colleen Ekas, assistant vice president for IoT product management and channel enablement at AT&T, described how her company worked to incorporate IoT into government offerings like FirstNet and solutions for the U.S. Postal Service. “Governmentizing is a word I made up…and to us means enabling products by hardening, securing, and enabling them for the Federal, state, and local levels of government,” she said. “We think about it in terms of contracting. We think about it in terms of product requirements and security,” she added.
In the ever-present area of IoT security, Katerina Megas, program manager for the Cybersecurity for IoT program at the National Institute of Standards and Technology (NIST), described how the agency invites private sector partners into the National Cybersecurity Center of Excellence (NCCoE) to help create implementation guides for cybersecurity challenges. She cited a completed project that created a reference architecture for wireless infusion pumps, and a current project looking at the Manufacturer’s Usage Description to prevent routers from communicating with unauthorized devices.
She also encouraged the audience to offer comment on NIST’s new IoT cybersecurity guidance, noting that she had embarked on a listening tour to gather feedback. “Going forward, we’re going to start developing and talking about a baseline for IoT and what could a baseline for IoT devices around security and privacy look like,” said Megas.
Megas also shared the principles around IoT cybersecurity that have emerged from her time as program manager–the need for a risk-based approach, an outcome-based approach over descriptive standards, a defense in depth strategy over a device-targeted strategy, and embracing stakeholder engagement.
“It’s going to be a multi-pronged effort,” said Megas.