Audit

Audit  Audit of the Administration of the Internet of Things

This audit examines the Commonwealth's current use of Internet of Things devices and the adequacy of the internal controls for implementing and using this technology. It looked at the period of July 1, 2016 through March 31, 2017.

Organization: Office of the State Auditor
Date published: September 5, 2018

Executive Summary

The Internet of Things (IoT) is the interconnection of devices via the Internet to allow the devices to collect and receive data over a network without requiring human-to-human or human-to-computer interaction. The flow of information in the IoT relies on what are commonly referred to as “smart” devices or on sensors that can be found in many products such as thermostats, health monitors, and motor vehicles. These devices need to collect, respond to, and/or transmit data as part of their normal operations. The IoT has many beneficial applications. For example, IoT-enabled devices and equipment are used to manage traffic; monitor health, weather, and energy; sense changes in environmental conditions to make necessary adjustments to control costs; and monitor equipment failure to ensure timely repair. Some common IoT devices include fitness trackers; smart watches; health monitoring devices; environmental monitoring devices; and devices in vehicles, such as those for global positioning system location and autonomous driving. It has been estimated that about 30 billion devices will be connected to the IoT by 2020.

In this audit, we obtained an understanding of the Commonwealth’s current IoT environment in terms of device use and planned use by surveying a sample of Commonwealth agencies (see Appendix) where we believed IoT devices were used for significant purposes. Some of the important feedback from this survey included the following:

  • Sixty-eight percent of respondents believe that the IoT has enabled their agencies to manage specific activities more efficiently. However, survey responses indicate that the adoption of IoT technology has been slow in the Commonwealth.
  • Forty-three percent of respondents believe that the IoT is in its infancy and the risk of adopting IoT devices is greater than the benefits.
  • Forty-six percent of respondents believe that IoT risks cannot be managed effectively and efficiently by current controls.

Our audit also assessed the adequacy of the internal controls that the Executive Office of Technology Services and Security (EOTSS)1 has established for implementing and using IoT technology as well as the measures EOTSS has taken to mitigate security and privacy risks associated with the use of this technology. We found that controls in this area could be improved.

According to EOTSS, the Massachusetts Access to Government Network (MAGNet)2 will eventually be replaced by the One Network initiative, which will consolidate the specific agency networks into one centrally managed Commonwealth network. According to EOTSS, this will enhance network security and allow high network availability, fast network connectivity, centralized network monitoring, and centralized network traffic management.

Below is a summary of our findings and recommendations, with links to each page listed.

Finding 1a
 

The Commonwealth’s Enterprise Information Security Policy (EISP) does not offer any guidelines to state agencies regarding the adoption of IoT technology.

Finding 1b
 

The Commonwealth does not have a formally documented information security incident response plan.

Finding 1c
 

The Division of Capital Asset Management and Maintenance did not involve the Commonwealth’s chief information officer (CCIO) in a project that connected IoT devices to MAGNet.

Recommendations
 

  1. EOTSS should develop guidelines specifically for the IoT in its current EISP and incorporate them into its security policy. It could use the National Institute of Standards and Technology paper NISTIR 8200—Interagency Report on Status of International Cybersecurity Standardization for the Internet of Things (IoT) for reference.
  2. EOTSS should develop a documented information security incident response plan.
  3. EOTSS should implement a policy to ensure that all state agencies considering undertaking any projects related to MAGNet contact the CCIO and learn whether the CCIO should be involved in supervising the projects.

A PDF copy of the audit of the Administration of the Internet of Things is available here.

1.    On August 1, 2017, the Governor established EOTSS to replace a previous agency, the Massachusetts Office of Information Technology, and made EOTSS responsible for administering the state’s information technology infrastructure.

2.    MAGNet is the Commonwealth’s private geographically dispersed telecommunication network; it is managed by EOTSS and is used to connect the various local area networks used by state agencies.

List of Abbrevations

CBEI

Commonwealth Building Energy Intelligence

CCIO

Commonwealth’s chief information officer

DCAMM

Division of Capital Asset Management and Maintenance

DEP

Department of Environmental Protection

DPH

Department of Public Health

DTA

Department of Transitional Assistance

EISP

Enterprise Information Security Policy

EOTSS

Executive Office of Technology Services and Security

IoT

Internet of Things

IT

information technology

MAGNet

Massachusetts Access to Government Network

MassDOT

Massachusetts Department of Transportation

MBTA

Massachusetts Bay Transportation Authority

NIST

National Institute of Standards and Technology

OSA

Office of the State Auditor

Contact

Phone

Fax

(617) 727-3014

Address

Massachusetts State House
Room 230
Boston, MA 02133

Help Us Improve Mass.gov  with your feedback

Please do not include personal or contact information.
Feedback