Cybersecurity experts are keenly aware of ongoing security issues that come with connected devices. Many IoT companies do not pay much attention to security. The U.S. federal government is increasingly using IoT devices across its agencies, but that has also raised security concerns. Multiple legislative activities are starting to make security a legal requirement for consumer IoT designs.
In December 2020, the Internet of Things Cybersecurity Improvement Act (H.R. 1668) was enacted, and the National Institute of Standards and Technology (NIST) published drafts that are designed to give guidance for the federal government and IoT manufacturers. While the bill would only apply to IoT devices procured by the federal government, Brad Ree, CTO of the consultancy ioXt and board member at the ioXt Alliance, says the requirements are likely to influence the IoT industry broadly. There’s little difference between the IoT devices - such as connected lighting and communication systems - bought by the government, excluding the military, and those bought by commercial companies.
Once IoT companies invest in improving a software library to meet the new minimum cybersecurity standards, that same software library will expectedly go into commercial products. Often the products sold to the government are the same as the commercial products. Consumer companies will possibly start building toward higher security.
What Do Cyber Executives Say
The program manager for the NIST Katerina Megas, Speaking at IoT World Today’s IoT Security Summit, said that legislation requiring IoT devices to incorporate security is already on the books in some states and is being added to federal law as well. Megas also noted in January 2020 that both California and Oregon enacted laws that require connected device manufacturers in their states to arm their devices with “reasonable security features.” Furthermore, several additional states – including New York, Massachusetts, Illinois, Massachusetts, and Virginia developed similar legislation that is either pending or under consideration.
Cybersecurity experts commended the new IoT law’s alignment with existing standards and best practices, along with its meaning for IoT devices – which, as everyone knows, have long been beset by security and privacy issues. The act will allow the federal government to lead by example in implementing basic IoT security standards and best practices for all devices it will purchase and manage, ultimately driving manufacturers to adopt higher security standards.
“The application layer of most IoT technologies is critical to their successful implementation, providing the ability to install, operate, manage and update the device as well as connect it to other integrated systems. These applications are no less susceptible to security vulnerabilities than traditional web or mobile applications, and this new legislation puts forth a requirement for identifying and communicating such vulnerabilities.”
- Peter Monahan, Director, Global Solutions Architecture at WhiteHat Security.
“The rapid, and ongoing, expansion in the Internet of Things (IoT) is undoubtedly making our lives more efficient and productive - and it will most likely continue to do so in the coming years' thanks to the gradual deployment of 5G connectivity. However, connecting these devices to our private corporate networks expands the attack surface. It potentially exposes sensitive data such as medical records, personally identifiable information, and workplace plans.”
- Stefano De Blasi, Threat Researcher at Digital Shadows.
"While this is to be applauded, it appears that the bill's initial focus is only on IoT devices procured and used by the Federal government.” He adds, "While IoT devices used on government networks are important, legislation mandating the security of all IoT devices would have gone further in providing a more comprehensive approach to IoT device safety. This may create increased sales for companies as they may introduce “Government” grade IoT devices that will cost more. It will be interesting to see if companies improve the security of their consumer-grade products as a result of this standard.”
- Terence Jackson, Chief Information Security Officer at Thycotic.
IoT vulnerabilities are regrettably still a common threat that causes denial-of-service attacks or door to data breaches. We don’t know how much impact this new federal law will have on consumer IoT devices. Right now we’re still observing it, since the law is originally designed to apply only to federally-owned or controlled IoT devices. It is likely that by increasing cybersecurity for IoT devices owned or controlled by the federal government, manufacturers of such devices will use this same secure technology and standards in the development of consumer IoT devices. Read the challenges of IoT security.
The frequent cybersecurity breaches show that security is not good enough in IoT devices, but the added cost of developing more secure products is a competitive disadvantage to anyone who provides higher security. By setting standards the government can make cybersecurity an advantage, encouraging higher security in all devices.
As cybersecurity and privacy issues increase in healthcare, consider making security a higher design priority. Meet FDA, C.E., and other security requirements to ensure your devices are secure and avoid the costly and embarrassing consequences of security breaches.
Voler can help you develop secure-by-design medical IoT and wearable devices. We offer expert guidance on designing and developing next-generation IoT and wearable devices. We help select the right technology for your device and determine the right combination of electronics for guaranteed security and reliability.
Located in Silicon Valley and with more than 40 years of electronic design experience, Voler Systems continues to be a leading custom product design consulting company providing high-quality electrical engineering and firmware development. Voler Systems ensures delivery of quality products, on time, on budget with low risk. All projects are undertaken with good specifications, the right people, quality design, constant communication, and a smooth transfer to manufacturing.