15 valuable practical examples of Internet of Things applications at government organizations: you will find them in the 'Whitepaper IoT II Resilience in Practice' from the Center for Information Security and Privacy Protection (CIP). For each example you can read about the risks and chosen approach.
What is the state of security around IoT? What challenges lie ahead and why does this topic definitely need the spotlight? CIP director Geert-Jan van de Ven takes us through.
IoT involves Internet-connected devices, but also the security risks associated with them. Van de Ven: "Under IoT I include operational technology, building-related installations, and home automation. In fact, I use the term broadly, because the appearance does not really matter that much. In fact, in all cases we have to look closely at the opportunities and threats."
"The goal is very simple: a wake-up call. We also attach an action perspective to it, for colleagues and administrators. In fact, the white paper also provides some examples that people can take inspiration from for how to approach IoT security. Furthermore, it is a call to action. We need to catch up on IoT and security, and that starts with awareness that something needs to be done. The examples in this white paper help with that."
"For example, it could be about building-related installations, such as an access control system or climate control system. When a building is furnished, there is not always the realization that technical components are connected to the Internet and that those components operate installations. Those installations must be maintained and security limits must be set. There are so many contracts with dependencies on outside vendors. Often those contracts are buttoned up. Breaking them open is a big job, often with far-reaching financial consequences. Yet there is often much to be gained with some relatively simple basic measures."
"Have you yourself come across a situation that you think is worth mentioning to colleagues, share it." Geert-Jan van de Ven
"The breadth of the examples makes people recognize themselves. There's always a case in there where people think: wait a minute, I recognize this. Perhaps it has been in the publicity, or has played out in your own organization. Seize this. I would also like to make an appeal. A number of organizations have publicly or anonymously made themselves vulnerable by sharing their case. But if you yourself have encountered a situation that you think is worth mentioning to colleagues, please share it. The CIP can help you do that."
"My perception is that we are now at the beginning of awareness. We now know of a number of cases whereby there is more social attention to vulnerabilities in products. For example, where people use home infrastructure as part of hybrid working, which includes the much-discussed cheap camera or smart light bulb. In addition, the realization that with building-related installations, you have no control over the quality of information provision, shielding, risk, and sealing. That realization has started to emerge more and more. In the last 2 years you notice that there is more reason to talk about IoT AND IoT consequences."
"By no longer seeing IoT as something special, but incorporating it into regular business operations. The planning, the execution, the controls. If it's part of that, at least it's about it. Then it's not eliminated yet, but it means the beginning of understanding."
Van de Ven specifies, "Don't see it as part of the facilities process anymore. Or of the housing process, or what is outsourced to a party where you happen to rent square footage. No, it is part of your responsibility, of your primary process. So know what it is about and also explicitly assign tasks to professionals. Like, for example, the Chief Information Security Officer (CISO) who already has a lot of experience with information security within the regular ICT domain."
"That it is not described in technical language, but with clear, practical examples that drivers can recognize. I am convinced that every driver who reads this will recognize at least 1 example: oh yes wait a minute, I have been confronted with that too."
"It's urgent, because we are now really dependent on those IoT resources."
"Drivers, of course, already have many challenges and obligations, and the focus is always on what has the most detrimental risk. But why it is urgent is because we are now really dependent on those IoT resources. Within the water domain, for example, they have been realizing for some time that IoT is a critical component. With the lock and bridge being operated remotely. Great strides have already been made there. Also within the provincial and municipal domain, experience with IoT has now been gained in the context of smart mobility and public order and safety, among others."
"On the other hand, IoT is still a young field, where not everything has crystallized yet. The field is developing and, moreover, scarcity in the labor market plays a role. That's why it needs to come into the spotlight now and we need to make good use of acquired knowledge and experience."
"I come back to understanding. Know what you're talking about. Get in-depth. Get the overview. This also creates urgency and prioritization. And facilitate the people in your organization who get to work with that."
"We would like to provide that signal effect. But we also want to share lessons learned and success stories for inspiration. In addition, we are working on the professionalism of the field. For example, what can a curriculum look like for someone working in this field? And how can we support contact with peers? We do that, for example, with the IB&P help (1) where fellow professionals are available for peer-to-peer advice. Directors are given tools there with the 7-driver KPI approach (2) on how to manage IB&P."
"In the regular information security domain, we have already come a long way. So if we no longer see IoT as something special, but as something more regular, then we can use the tools we already have for that. A number of useful baselines are already in place, such as the Cybersecurity Implementation Guideline Objects framework used by the water sector. And the Government Information Security Baseline that is already being used government-wide for generic information provision."
"And as we procure and deploy new technology, let's make sure that it's integral to the approach. That we just get new facilities right from the start."
https://bio-overheid.nl/category/producten#Factsheet
https://bio-overheid.nl/category/producten#7-driver-kpi-model
https://www.digitaleoverheid.nl/overzicht-van-alle-onderwerpen/informatieveiligheid/kaders-voor-informatieveiligheid/baseline-informatiebeveiliging-overheid/
