Discuss Your Next Design Project
Company / News

Cybersecurity Experts Hail New IoT law

post_banner

Cybersecurity experts are keenly aware of ongoing security issues that come with connected devices. Many IoT companies do not pay much attention to security. The U.S. federal government is increasingly using IoT devices across its agencies, but that has also raised security concerns. Multiple legislative activities are starting to make security a legal requirement for consumer IoT designs.

In December 2020, the Internet of Things Cybersecurity Improvement Act (H.R. 1668) was enacted, and the National Institute of Standards and Technology (NIST) published drafts that are designed to give guidance for the federal government and IoT manufacturers. While the bill would only apply to IoT devices procured by the federal government, Brad Ree, CTO of the consultancy ioXt and board member at the ioXt Alliance, says the requirements are likely to influence the IoT industry broadly. There’s little difference between the IoT devices - such as connected lighting and communication systems - bought by the government, excluding the military, and those bought by commercial companies.

The Saint Lawrence Seaway Development Corp. uses IoT to monitor ship's transiting locks.

Once IoT companies invest in improving a software library to meet the new minimum cybersecurity standards, that same software library will expectedly go into commercial products. Often the products sold to the government are the same as the commercial products. Consumer companies will possibly start building toward higher security.

What Do Cyber Executives Say

The program manager for the NIST Katerina Megas, Speaking at IoT World Today’s IoT Security Summit, said that legislation requiring IoT devices to incorporate security is already on the books in some states and is being added to federal law as well. Megas also noted in January 2020 that both California and Oregon enacted laws that require connected device manufacturers in their states to arm their devices with “reasonable security features.” Furthermore, several additional states – including New York, Massachusetts, Illinois, Massachusetts, and Virginia developed similar legislation that is either pending or under consideration.

Cybersecurity experts commended the new IoT law’s alignment with existing standards and best practices, along with its meaning for IoT devices – which, as everyone knows, have long been beset by security and privacy issues. The act will allow the federal government to lead by example in implementing basic IoT security standards and best practices for all devices it will purchase and manage, ultimately driving manufacturers to adopt higher security standards.

 

“The application layer of most IoT technologies is critical to their successful implementation, providing the ability to install, operate, manage and update the device as well as connect it to other integrated systems. These applications are no less susceptible to security vulnerabilities than traditional web or mobile applications, and this new legislation puts forth a requirement for identifying and communicating such vulnerabilities.”

- Peter Monahan, Director, Global Solutions Architecture at WhiteHat Security.

“The rapid, and ongoing, expansion in the Internet of Things (IoT) is undoubtedly making our lives more efficient and productive - and it will most likely continue to do so in the coming years' thanks to the gradual deployment of 5G connectivity. However, connecting these devices to our private corporate networks expands the attack surface. It potentially exposes sensitive data such as medical records, personally identifiable information, and workplace plans.”

“The rapid, and ongoing, expansion in the Internet of Things (IoT) is undoubtedly making our lives more efficient and productive - and it will most likely continue to do so in the coming years' thanks to the gradual deployment of 5G connectivity. However, connecting these devices to our private corporate networks expands the attack surface. It potentially exposes sensitive data such as medical records, personally identifiable information, and workplace plans.”

- Stefano De Blasi, Threat Researcher at Digital Shadows.

"While this is to be applauded, it appears that the bill's initial focus is only on IoT devices procured and used by the Federal government.” He adds, "While IoT devices used on government networks are important, legislation mandating the security of all IoT devices would have gone further in providing a more comprehensive approach to IoT device safety. This may create increased sales for companies as they may introduce “Government” grade IoT devices that will cost more. It will be interesting to see if companies improve the security of their consumer-grade products as a result of this standard.”

- Terence Jackson, Chief Information Security Officer at Thycotic.

IoT vulnerabilities are regrettably still a common threat that causes denial-of-service attacks or door to data breaches. We don’t know how much impact this new federal law will have on consumer IoT devices. Right now we’re still observing it, since the law is originally designed to apply only to federally-owned or controlled IoT devices. It is likely that by increasing cybersecurity for IoT devices owned or controlled by the federal government, manufacturers of such devices will use this same secure technology and standards in the development of consumer IoT devices. Read the challenges of IoT security.

The frequent cybersecurity breaches show that security is not good enough in IoT devices, but the added cost of developing more secure products is a competitive disadvantage to anyone who provides higher security. By setting standards the government can make cybersecurity an advantage, encouraging higher security in all devices.

End Note

As cybersecurity and privacy issues increase in healthcare, consider making security a higher design priority. Meet FDA, C.E., and other security requirements to ensure your devices are secure and avoid the costly and embarrassing consequences of security breaches.

Voler can help you develop secure-by-design medical IoT and wearable devices. We offer expert guidance on designing and developing next-generation IoT and wearable devices. We help select the right technology for your device and determine the right combination of electronics for guaranteed security and reliability.

About Voler

Located in Silicon Valley and with more than 40 years of electronic design experience, Voler Systems continues to be a leading custom product design consulting company providing high-quality electrical engineering and firmware development. Voler Systems ensures delivery of quality products, on time, on budget with low risk. All projects are undertaken with good specifications, the right people, quality design, constant communication, and a smooth transfer to manufacturing.

TELL US ABOUT YOUR NEXT DESIGN PROJECT

Do you have a question about our services, pricing, samples, resources, or anything else?

Contact Us Now

Related News

IoT Security: What We All Need to Know | Voler Systems

The Internet of Things, or IoT, has started to truly come into its own in the last few...

Read More

Secure or Nothing - Why device security must be front and center | Voler Systems

Any electronic device you're looking to develop that's meant for use by humans must...

Read More

Wearables Device Data Security & Protection | Voler Systems

Wearable healthcare devices have gone far beyond merely counting steps and heartbeats. A...

Read More

Interested in Learning More? Contact Us Today!