Why FISMA is not enough for the Internet of Things

The cybersecurity vulnerabilities uncovered in a number of the Transportation Security Administration's electronic security and personnel management devices are part of a growing problem for federal IT managers, according to the expert that discovered and reported the flaws.

Billy Rios, director of threat intelligence at Qualys, a large security tech firm, presented a paper in early August at the Black Hat cybersecurity convention that showed electronic backdoors, hard-coded credentials and other fundamental security flaws in a number of the TSA's detection, management and security devices.

For instance, Rios said the Kronos 4500, a "time and attendance" product that's basically a time clock TSA employees use to log in an out of work using their fingerprints, had two backdoor passwords that would allow access to any of the devices across the country. Rios said he found 6,000 of the Kronos devices in use after Internet searches. Two of those, he said, belonged to public airports -- one at San Francisco International Airport that has since been taken offline and another at an unidentified airport that remains online.

Rios' research also found hard-coded credentials in the Morpho Itemiser 3, an explosive trace scanner. TSA approved the device, but never used it. Nevertheless, Rios' research spurred an alert from US CERT on July 24 concerning the device's vulnerabilities. Rios had previously found weaknesses in a certain model of baggage X-ray machines used by TSA that could be used to manipulate the machines electronically to produce false images.

Rios said he has been working with the Department of Homeland Security to address the issues.

In an interview with FCW, RIOS said TSA is not alone among federal agencies or private industry in its inarticulate response to the quickly evolving "Internet of Things," where a sprawl of previously unconnected devices is becoming Internet-capable.

When asked about the flaws uncovered by Rios, TSA responded in an email statement that the technology it procures undergoes "a rigorous certification and accreditation process in accordance with the Federal Information Security Management Act (FISMA)."

That process, it said "ensures information technology security risks are identified and mitigation plans put in place, as necessary. A majority of the equipment we utilize is not available for sale commercially or to any other entity; the agency regularly uses its own libraries, software and settings."

Rios, who has worked with a number of federal agencies on security, said those assertions may be crumbling with the spread of non-traditional computing devices that could house secret or unobtrusive entryways for bad actors.

One of the biggest cybersecurity concerns for federal agencies implementing greater connectivity via the public or private cloud, Rios said, is not necessarily unsecured devices, but their growing pervasiveness in a wide variety of formerly unrelated systems.

"Buildings are the biggest problem" for federal agencies, he said of emerging cyber risks in the Internet of Things, he said. Structures that incorporate increasingly complex control systems -- HVAC systems and mobile apps that allow remote control of lighting and building operations -- can also open those systems to cyberattacks or manipulation, presenting new layers of electronic vulnerabilities.

Cybersecurity could be unwittingly buried under the government's increasing emphasis on improving building efficiencies and functions under mandates to cut costs and improve environmental performance, Rios said. The General Services Administration has a "green" building initiative aimed at not only increasing the energy efficiency of facilities, but also reducing energy costs. Those capabilities include environment monitoring devices that can connect to the Internet.

Although HVAC and other building systems are classified as industrial control systems, Rios said it's not really clear who is responsible for their cybersecurity. The systems and devices sit astride the facilities world and the IT world. Additionally, hard-wired vulnerabilities like the flaws found in the TSA systems' firmware, aren't readily detectible using most monitoring systems. They're more deeply embedded in devices than software and come with the devices when they're purchased.

Although there is a strong effort to protect private industry and federal industrial control systems, Rios said, even more attention is needed.

The responsibilities of building system cybersecurity, he said, would seem to fall under the purview of the Department of Homeland Security's Federal Protective Service, which handles physical security of federal buildings. But that responsibility isn't clear cut.

Since those buildings' systems can be purchased by contracting officers at federal agencies used to buying air conditioning systems and not IT, agency and GSA contracting officers with IT experience should also have a larger role in those kids of procurements, Rios recommended.

Rios maintains that the procurement process is one of the most important links in preventing back-door cyberattacks on federal facilities. Understanding what devices are to be used and how they can be accessed should be an integral part of buying them.

FISMA regulations, he said, don't provide adequate coverage for the emerging threat. "No document covers the root stuff. We need to understand the devices and what's being bought" from the outset, he said.