AASHTO Journal - Senate Hearing Examines Cybersecurity Risks of IoT Devices

The Subcommittee on Security within the Senate Committee on Commerce, Science, and Transportation held a hearing on April 30 to examine the security threats and challenges posed by the Internet of Things or IoT, plus ways to encourage the inclusion of more cybersecurity by design into connected devices and the networks that support them.

Sen. Dan Sullivan, R-Alaska, chairman of the security subcommittee, added that IoT cybersecurity is growing issue as development of a 5G high-speed wireless network continues.

Matthew Eggers, vice president of cybersecurity policy at the U.S. Chamber of Commerce, noted in his written testimony that IoT objects “are potentially vulnerable targets for hackers” and as the number of IoT devices grows, “so will the potential risk of successful intrusions and increases in costs” from hacking incidents.

“A top Chamber priority will be for industry to achieve consensus on the technical criteria that support the IoT cyber baseline, including for consumer and industrial devices,” he said. “The Chamber wants to get strong devices into the networks of businesses and the hands of consumers. Among other things, strong IoT will yield positive externalities.”

That perspective echoed comments made by Vice President Mike Pence in a speech last year, who explained that such “externalities” include stemming attacks on U.S. transportation infrastructure.

“A single Russian malware attack last year cost a major American shipping company roughly $400 million,” he said in his 2018 speech.

As a result, Pence noted that the formation of new cyber-focused government agencies – such as the Cybersecurity and Infrastructure Security Agency and National Risk Management Center, both housed within the Department of Homeland Security – along with more collaboration with private sector groups will be needed, especially as the costs of cyberattacks continues to grow.

“In 2016, it is estimated cyberattacks cost our economy as much as $109 billion,” he said last year. “The truth is cybersecurity is unlike any challenge we’ve ever faced. Technologies are shifting by the minute, from the Internet of Things to 5G to artificial intelligence to quantum computing, and each advance is accompanied not only by new opportunities, but new challenges. And just as the threats are evolving, our defenses, too, must evolve. It is a work that’s never done. It is a process that is continuous. And so must our collaboration be.”

Charles Romine, director of the information technology laboratory within the National Institute of Standards and Technology, expanded on those points while illustrating the benefits of greater IoT connectivity during the April 30 hearing.

“IoT devices are an outcome of combining the worlds of information technology and operational technology. With the inexpensive rise of WiFi and other connective technology chip sets and wireless technologies, we can connect almost anything to the internet and harness computing power far beyond our traditional personal computer and laptop environments,” he said in his written testimony.

“Every sector has its own types of IoT devices, such as specialized hospital equipment in the healthcare sector and smart road technologies in the transportation sector,” Romine noted. “IoT also adds the ability to analyze data about the physical world and use the results to better inform decision-making, alter the physical environment, and anticipate future events. While the full scope of IoT is not precisely defined, it is clearly vast.”

Yet securing IoT devices is a major challenge, he explained, as manufactures tend to focus on “functionality, compatibility requirements, customer convenience, and time-to-market” rather than security.

“Many IoT devices interact with the physical world in ways conventional IT devices usually do not. For example, IoT devices with actuators have the ability to make changes to physical systems and thus affect the physical world,” Romine said. “And many organizations are not necessarily aware that they are using a large number of IoT devices. So it is important that organizations understand their use of IoT because many IoT devices affect cybersecurity and privacy risks differently than conventional IT devices do.”