BOSTON, MA —State Auditor Suzanne M. Bump is calling on the Executive Office of Technology Services and Security (EOTSS) to take a proactive and comprehensive approach to support state government agency adoption of “Internet of Things” (IoT) devices. The call came as Bump today released an audit examining the Commonwealth’s administration of IoT devices. The IoT refers to devices—such as health and environmental monitoring devices, items with GPS sensors, and roadway surveillance cameras—that are connected to the internet in order to collect, receive, and disseminate data. In the audit, Bump highlights examples of Commonwealth agencies using IoT devices during the audit period including electronic toll center cameras, motorist information signs, GPS devices on trains, and sensors to measure air quality.
The audit notes that some of the most significant challenges related to the adoption of IoT devices include cybersecurity, privacy, connectivity, and a lack of laws and regulations regarding the use of this new technology. As part of the audit, Bump’s office surveyed state agencies about their current and planned use of IoT devices. While most responding agencies indicated they either currently use or may in the near future use IoT devices, a plurality of agencies felt that because this technology is in its infancy, the risk of adopting these devices outweighed the benefits. A plurality also felt that their agencies could not currently effectively and efficiently manage the risks associated with IoT devices.
“As IoT technology becomes increasingly ubiquitous, state government has a choice: it can lead by proactively securing these devices and developing a comprehensive approach to ensure agencies are effectively protected when leveraging these tools, or it can react to challenges and threats when they are at an agency’s doorstep,” Bump said. “As the Commonwealth continues to take measures to improve its IT operations and security, the opportunities and threats presented by IoT devices must be a part of that strategy.”
The audit calls on EOTSS to develop specific guidelines for state agencies to identify and secure IoT devices. In addition, it encourages the agency to formally document a specific plan to respond to incidents affecting the security of IoT devices. Finally, it recommends that the agency develop a policy that requires all state agencies to consult with the Commonwealth’s Chief Information Officer before connecting IoT devices to the state’s network.