Securing the Internet of Things (IoT) at the U.S ...Examples of VA Addressing the Security Challenges of IoT Scaling solutions enterprise-wide and establishing the capability for connected

Securing the Internet of Things (IoT) at the U.S. Department of Veterans Affairs

Dominic CussattActing Deputy CIO/ Chief Information Security Officer (CISO)February 22, 2017

Working Draft, Pre-Decisional, Deliberative Document – Internal VA Use Only

Working Draft, Pre-Decisional, Deliberative Document – Internal VA Use Only2

Devices You Use Everyday Are Part of the IoT

“Cars, kitchen appliances, and

even heart monitors can all be

connected through the IoT. And

as the Internet of Things grows in

the next few years, more devices

will join that list.”

Medical

Devices

ComputersCell Phones

Speakers

HVAC

Thermostat

Cars

Microwaves

~ businessinsider.com

“The problem is that the

current Internet addressing

system, IPv4, only has

room for about 4 billion

addresses -- not nearly

enough for the world's

people, let alone the devices

that are online today and

those that will be in the

future: computers, phones,

TVs, watches, fridges, cars,

and so on. More than 4

billion devices already share

addresses. As IPv4 runs

out of free addresses,

everyone will need to

share.” – Vint Cerf, Chief Internet

Evangelist at Google


The Growth of Connected Devices in Our Society and How They Impact Our Day to Day LivesConnected devices provide our society with beneficial opportunities for efficient and continuous communication among people, networks, and services. However, reliance on this connected environment can have undesirable outcomes.



You go to a fast food drive thru and their system is down – so now you are not just hungry, but also annoyed.




You are trying to determine which prayer service to attend and the place of worship’s schedule display is down – so now your personal spiritual practices are impacted.



You are managing an airport’s baggage claim and the directory screen goes down – now your customers are angry and don’t know where to get their luggage.





You are managing an airport’s baggage claim and the directory screen goes down – now your customers are angry and don’t know where to get their luggage.



The environment at VA is different, as one may imagine, but the impact on user experience and the Veteran is similar...

...and could even impact healthcare...

Unpatched Software

Unsupported Software

Poor Configuration Management

Networked Devices Not Properly Secured

Access Privileges not Properly Managed

Etc...


Cybersecurity Threats are a Moving TargetThe adversary can change their tactics much quicker than cyber defenses can be updated and re-deployed. This requires organizations to become more proactive than reactive about securing the end points.

Evolving cyber threats require new approaches to protect organizations

Threats evolving in volume, sophistication,

and impact

And all the while, Technology is changing and advancing in leaps and bounds...

Security Challenges Facing the IoT


The threat to the security of VA and these network connected devices continues to increase as the capabilities of IoT continue to evolve.

End User

BusinessProcess and Objectives

Data and Information

Architecture

• “Many enterprises are challenged by unclear

business objectives that complicate setting an

IoT architecture strategy to address issues

relating to deployment environments, legacy

infrastructure, complex environments and so

forth” ~ Gartner, Internet of Things —

Architecture Remains a Core Opportunity and

Challenge: A Gartner Trend Insight Report,

2017• “The unprecedented amounts of information

from the IoT and the Internet of Everything

expose organizations to legal, regulatory and

reputational risk.” ~ Gartner, How to Address

the Top Five IoT Challenges With Enterprise

Architecture, 2016

Things

• The Internet of Things will produce two

challenges with information: volume and

velocity. Knowing how to handle large

volumes and/or real-time data cost-effectively

is a requirement for the Internet of Things. ~

Gartner, Hype Cycle for the Internet of Things,

2014


How the IoT Impacts Healthcare


What does the internet of things look like through a healthcare lens?Increased connectivity paves the way for enhanced medical care, but also creates potential vulnerabilities that can alter the threat landscape and can impact patient care.

“One of the biggest things we took away from our Anonymous attack was that in the past, I had always thought about cybersecurity related to health IT as safeguarding data ― but our experience made us understand it is more than that.” ~ Daniel Nigrin, M.D., Chief Information Officer at Boston Children’s Hospital, which was attacked by the hacker group Anonymous in 2014

“Hospital network security has been under scrutiny in the past few months. The MedStar Health system in Washington, D.C. recently fell victim to a ransomware attack in which a piece of malware blocked access to patient records and demanded payment.” ~nextgov.com

The Ponemon Institute found that nearly 90% of healthcare organizations represented in a recent study had a data breach in the past two years and nearly half had 5 data breaches in the same period. Estimates based on the study suggested that breaches could be costing the healthcare industry $6.2 billion ~ ponemon.org


The Cyber Threat to HealthcareHackers now employ more sophisticated methods for penetrating networks and devices, making detection and prevention of cyber attacks more difficult. Recent examples of this threat to healthcare providers include:


What Does the IoT Mean For VA?

Department of Veterans Affairs (VA): By the NumbersAs part of the VA, Veterans Health Administration (VHA) is the largest integrated healthcare system in the United States providing care at:


1,233 Health Care

Facilities 168 VA Medical

Centers 1,053 Outpatient

sites

Mission Statement: To fulfill President Lincoln’s promise “To care for him who shall have

borne the battle, and for his widow, and his orphan” by serving and honoring the men and

women who are American Veterans

Serving more than 8.9 million Veterans each year

Information on this slide is derived from: https://www.va.gov/health/aboutVHA.asp

Explosive growth and use of information technology devices connected to the Internet –“Internet of Things” (IoT)

Proliferation of information systems and networks with virtually unlimited connectivity via mobile technologies and the cloud lending to a larger attack surface

Increasing sophistication of threats including exponential growth rate in ransomware and distributed denial of service (DDoS) attacks leveraging the IoT vulnerabilities


The opportunity for a malicious attack or a security breach continues to increase

as more devices are becoming Internet-enabled.

The Threat Landscape at VAThe VA environment spans six data centers with over 1,800 locally-managed facilities and 750,000 network devices. With this complex environment, applying cybersecurity consistently is difficult and requires collaboration across several disciplines to protect the data of our Veterans. Below are factors affecting VA’s threat landscape:

VA’s Approach to Improving SecurityThe Department of Veterans Affairs (VA) Enterprise Cybersecurity Strategy Team (ECST) within the Office of Information Technology (OI&T) was established to mature VA’s cybersecurity posture and safeguard Veteran information that is essential to providing quality health care, benefits, and services to our nation’s Veterans. The ECST encompasses activities around

The Enterprise Cybersecurity Strategy encompasses activities around securing VA’s IoT, such as medical devices and special purpose systems.

Information Security professionals work for VA587

750K

71%

4.5M

$200M Amount allocated for information security in

2014

Number of protected devices on the VA

network

Decrease in overall number of critical or high

vulnerabilities between November 2014 - May

2015

Emails monitored per day, 75% blocked due to

malware and other malicious activity

BY THE NUMBERS

Protecting Veteran information and VA

data1

Defending VA’s cyberspace ecosystem2

Protecting VA infrastructure and assets3

Enabling effective operations4Recruiting and retaining a talented

cybersecurity workforce5

Working Draft, Pre-Decisional, Deliberative Document – Internal VA Use Only

Source: Protecting Veteran Information in a Complex Cybersecurity Landscape, VA. 7/2015

Five Strategic Goals of ECST

The Influence of IoT at VARecent enhancements in technology are allowing federal agencies, including the Department of Veterans Affairs (VA), to find new ways to collect, analyze, share, and act on the data to drive operational efficiencies in support of their mission.


Examples of IoT at VA

• Networked Medical Devices – used in patient health care for diagnosis, treatment, or monitoring of physiological measurements, or for health analytical purposes*

• Special Purpose Systems (SPS) - network-connected, non-medical systems that play a critical role in supporting a VA facility’s operations and mission fulfillment (e.g., heating, ventilation, and air conditioning (HVAC); water control)*

*Source: U.S. Department of Veterans Affairs


Examples of VA Addressing the Security Challenges of IoTScaling solutions enterprise-wide and establishing the capability for connected devices on the VA network

* Source: ECST accomplishments as of 1/31/2017

** Source: Fiscal Year 2017 VA Medical Device Incident Response Overview

Implemented an

automated inventory

tool and an inventory

reconciliation process

Implementation of the

Isolation Architecture

Change Advisory

Board to evaluate and

recommend

improvements to

standardized

processes and

procedures established

to control VA IT

infrastructure changes

Deployed of VA’s

Medical Device

Vulnerability

Management Program.*

Created the security

control overlay for

medical devices

Published and integrated

a cyber incident root

cause analysis into

standard operating

procedures (SOP)

Leveraged an isolation

architecture for medical

devices connected to

their network.

Implemented a change

management advisory

board

Vulnerability

Management

Aging

Infrastructure

Asset

Management

Unsupported

Operating

System

Solutions

Governance

and Risk

Management

Deployed a Medical

Device Protection

Program**

Provided security,

guidance, training and

outreach to VA employees

and contractors

Implemented continuous

monitoring of evolving

cybersecurity threats

Implemented configuration

controls

Implemented incident

response to remediate

security breaches

Information Data ArchitectureBusiness

ObjectiveEnd UserBusiness

Process Things


Evolution of VA’s Approach to Securing IoTVA continues to integrate with the business, manage information risks more strategically, and work toward a culture of shared cyber risk ownership across the enterprise.

Enhance the

isolation

architecture to

include connected

devices

Deploy a

centralized

automated

inventory solution

Monitor soon to

be unsupported

operating systems

Work with device

owners and

manufacturers to remove

vulnerable devices from

the network without

affecting patient care

Develop a

incident

response

program for

connected

devices

Mirror security

vulnerability

management of medical

devices for connected

devices

Source: ECST Medical Cyber Domain Projects as of 2/1/2017

Principles to Securing the IoT Devices


As we continue to integrate IoT and become more dependent on network connected technologies, there is an increasing emphasis on securing these devices. The Department of Homeland Security (DHS) has issued six strategic principles to securing IoT:

Incorporate

Security at the

Design Phase

0201

Prioritize Security

Measures According

to Potential Impact04

03

05

06

Promote Security

Updates and

Vulnerability

Management

Promote

Transparency

Across IoT

Build on

Recognized

Security Practices

Connect Carefully

and Deliberately

Information on this slide is derived from: https://www.dhs.gov/sites/default/files/publications/IOT%20fact%20sheet_11162016.pdf


The Future of the IoT


What is Next for IoT?

“Security is a special challenge for IoT. IoT systems

operate across the public internet; are deployed outside of the

physical control of the organization; may remain in place in critical

systems for 10 to 20 years; and may control critical infrastructure, or

be capable of coordinated attacks on other systems…The devices

themselves may lack critical hardware capabilities for securing their

operation against attack. Securing IoT requires a balance

of protecting against long-term devastation and

accelerating value generation” – Gartner, Internet of Things Primer 2017

“The Internet of Things Market to reach $267 Billion by 2020”

– Forbes, 1/29/2017

“Connected health devices should grow to $14 billion

by 2020” – Forbes, 9/1/2016

“Clearly the Internet needs more IP addresses. How many more,

exactly? Well, how about 340 trillion trillion trillion (or,

340,000,000,000,000,000,000,000,000,000,000,000,000)? That's

how many addresses the Internet's new "piping," IPv6, can

handle. That's a number big enough to give everyone on

Earth their own list of billions of IP addresses.” -Vint Cerf, Chief Internet Evangelist at Google

Documents

Securing the Internet of Things (IoT) at the U.S ...Examples of VA Addressing the Security Challenges of IoT Scaling solutions enterprise-wide and establishing the capability for connected