securing the internet of things (iot) at the u.s ...from the iot and the internet of everything...

Securing the Internet of Things (IoT) at the U.S. Department of Veterans Affairs

Dominic CussattActing Deputy Assistant Secretary / Chief Information Security Officer (CISO)February 20, 2017

Working Draft, Pre-Decisional, Deliberative Document – Internal VA Use Only

“One of the biggest things we took away from our Anonymous attack was that in the past, I had always thought about cybersecurity related to health IT as safeguarding data ― but our experience made us understand it is more than that.” ~ Daniel Nigrin, M.D., Chief Information Officer at Boston Children’s Hospital, which was attacked by the hacker group Anonymous in 2014

“Hospital network security has been under scrutiny in the past few months. The MedStar Health system in Washington, D.C. recently fell victim to a ransomware attack in which a piece of malware blocked access to patient records and demanded payment.” ~nextgov.com

The Ponemon Institute found that nearly 90% of healthcare organizations represented in a recent study had a data breach in the past two years and nearly half had 5 data breaches in the same period. Estimates based on the study suggested that breaches could be costing the healthcare industry $6.2 billion ~ ponemon.org

Working Draft, Pre-Decisional, Deliberative Document – Internal VA Use Only2

The Cyber Threat to HealthcareHackers now employ more sophisticated methods for penetrating networks and devices, making detection and prevention of cyber attacks more difficult. Recent examples of this threat to healthcare providers include:

Department of Veterans Affairs (VA): By the numbersAs part of the VA, Veterans Health Administration (VHA) is the largest integrated healthcare system in the United States providing care at:


1,233 Health Care

Facilities 168 VA Medical

Centers 1,053 Outpatient

sites

Mission Statement: To fulfill President Lincoln’s promise “To care for him who shall have

borne the battle, and for his widow, and his orphan” by serving and honoring the men and

women who are American Veterans

Serving more than 8.9 million Veterans each year

Information on this slide is derived from: https://www.va.gov/health/aboutVHA.asp

Explosive growth and use of information technology devices connected to the Internet –“Internet of Things” (IoT)

Proliferation of information systems and networks with virtually unlimited connectivity via mobile technologies and the cloud lending to a larger attack surface

Increasing sophistication of threats including exponential growth rate in ransomware and distributed denial of service (DDoS) attacks leveraging the IoT vulnerabilities


The opportunity for a malicious attack or a security breach continues to increase

as more devices are becoming Internet-enabled.

The Threat Landscape at VAThe VA environment spans six data centers with over 1,800 locally-managed facilities and 750,000 network devices. With this complex environment, applying cybersecurity consistently is difficult and requires collaboration across several disciplines to protect the data of our Veterans. Below are factors affecting VA’s threat landscape:

VA’s Approach to Improving SecurityThe Department of Veterans Affairs (VA) Enterprise Cybersecurity Strategy Team (ECST) within the Office of Information Technology (OI&T) was established to mature VA’s cybersecurity posture and safeguard Veteran information that is essential to providing quality health care, benefits, and services to our nation’s Veterans. The ECST encompasses activities around

The Enterprise Cybersecurity Strategy encompasses activities around securing VA’s IoT, such as medical devices and special purpose systems.

Information Security professionals work for VA587

750K

71%

4.5M

$200M Amount allocated for information security in

2014

Number of protected devices on the VA

network

Decrease in overall number of critical or high

vulnerabilities between November 2014 - May

2015

Emails monitored per day, 75% blocked due to

malware and other malicious activity

BY THE NUMBERS

Protecting Veteran information and VA

data1

Defending VA’s cyberspace ecosystem2

Protecting VA infrastructure and assets3

Enabling effective operations4Recruiting and retaining a talented

cybersecurity workforce5

Working Draft, Pre-Decisional, Deliberative Document – Internal VA Use Only

Source: Protecting Veteran Information in a Complex Cybersecurity Landscape, VA. 7/2015

Five Strategic Goals of ECST

The Influence of IoTRecent enhancements in technology are allowing federal agencies, including the Department of Veterans Affairs (VA), to find new ways to collect, analyze, share, and act on the data to drive operational efficiencies in support of their mission.


Examples of IoT at VA

• Networked Medical Devices – used in patient health care for diagnosis, treatment, or monitoring of physiological measurements, or for health analytical purposes*

• Special Purpose Systems (SPS) - network-connected, non-medical systems that play a critical role in supporting a VA facility’s operations and mission fulfillment (e.g., heating, ventilation, and air conditioning (HVAC); water control)*

*Source: U.S. Department of Veterans Affairs

Security Challenges Facing the IoT


The threat to the security of VA and these network connected devices continues to increase as the capabilities of IoT continue to evolve.

End User

BusinessProcess and Objectives

Data and Information

Architecture

• “Many enterprises are challenged by unclear

business objectives that complicate setting an

IoT architecture strategy to address issues

relating to deployment environments, legacy

infrastructure, complex environments and so

forth” ~ Gartner, Internet of Things —

Architecture Remains a Core Opportunity and

Challenge: A Gartner Trend Insight Report,

2017• “The unprecedented amounts of information

from the IoT and the Internet of Everything

expose organizations to legal, regulatory and

reputational risk.” ~ Gartner, How to Address

the Top Five IoT Challenges With Enterprise

Architecture, 2016

Things

• The Internet of Things will produce two

challenges with information: volume and

velocity. Knowing how to handle large

volumes and/or real-time data cost-effectively

is a requirement for the Internet of Things. ~

Gartner, Hype Cycle for the Internet of Things,

2014

Principles to Securing the IoT Devices


As we continue to integrate IoT and become more dependent on network connected technologies, there is an increasing emphasis on securing these devices. The Department of Homeland Security (DHS) have issued six strategic principles to securing IoT:

Incorporate

Security at the

Design Phase

0201

Prioritize Security

Measures According

to Potential Impact04

03

05

06

Promote Security

Updates and

Vulnerability

Management

Promote

Transparency

Across IoT

Build on

Recognized

Security Practices

Connect Carefully

and Deliberately

Information on this slide is derived from: https://www.dhs.gov/sites/default/files/publications/IOT%20fact%20sheet_11162016.pdf


Examples of VA Addressing the Security Challenges of IoTScaling solutions enterprise-wide and establishing the capability for connected devices on the VA network

* Source: ECST accomplishments as of 1/31/2017

** Source: Fiscal Year 2017 VA Medical Device Incident Response Overview

Implemented an

automated inventory

tool and an inventory

reconciliation process

Implementation of the

Isolation Architecture

Change Advisory

Board to evaluate and

recommend

improvements to

standardized

processes and

procedures established

to control VA IT

infrastructure changes

Deployed of VA’s

Medical Device

Vulnerability

Management Program.*

Created the security

control overlay for

medical devices

Published and integrated

a cyber incident root

cause analysis into

standard operating

procedures (SOP)

Leveraged an isolation

architecture for medical

devices connected to

their network.

Implemented a change

management advisory

board

Vulnerability

Management

Aging

Infrastructure

Asset

Management

Unsupported

Operating

System

Solutions

Governance

and Risk

Management

Deployed a Medical

Device Protection

Program**

Provided security,

guidance, training and

outreach to VA employees

and contractors

Implemented continuous

monitoring of evolving

cybersecurity threats

Implemented configuration

controls

Implemented incident

response to remediate

security breaches

Information Data ArchitectureBusiness

ObjectiveEnd UserBusiness

Process Things


Evolution of VA’s Approach to Securing IoTVA continues to integrate with the business, manage information risks more strategically, and work toward a culture of shared cyber risk ownership across the enterprise.

Enhance the

isolation

architecture to

include connected

devices

Deploy a

centralized

automated

inventory solution

Monitor soon to

be unsupported

operating systems

Work with device

owners and

manufacturers to remove

vulnerable devices from

the network without

affecting patient care

Develop a

incident

response

program for

connected

devices

Mirror security

vulnerability

management of medical

devices for connected

devices

Source: ECST Medical Cyber Domain Projects as of 2/1/2017


The Future Outlook

“Security is a special challenge for IoT. IoT

systems operate across the public internet; are

deployed outside of the physical control of the

organization; may remain in place in critical

systems for 10 to 20 years; and may control critical

infrastructure, or be capable of coordinated attacks

on other systems…The devices themselves may

lack critical hardware capabilities for securing their

operation against attack. Securing IoT requires

a balance of protecting against long-term

devastation and accelerating value

generation” – Gartner, Internet of Things Primer 2017

“The Internet of Things Market to reach $267

Billion by 2020” – Forbes, 1/29/2017

“Connected health devices should grow to

$14 billion by 2020” – Forbes, 9/1/2016

securing the internet of things (iot) at the u.s ...from the iot and the internet of everything...

Documents