The year 2020 saw far-reaching cybersecurity breaches, culminating in the widespread Solarwinds supply chain attack. This is a grave reminder to all decision-makers that cybersecurity should remain a top concern.
Cybersecurity is now a board-level issue for many firms. The World Economic Forum’s Global Risks Report 2021 revealed that cyber risks continue to rank among global risks. While the COVID-19 pandemic fast-tracked technological adoption, it also exposed cyber vulnerabilities and unpreparedness while worsening the tech disparities within industries and societies.
What is IoT Cybersecurity?
We live in a digital world that’s becoming more connected with every new technological invention. Almost everyone has a smartphone and internet connection. Students starting to prefer tablets to books, healthcare improving at an unprecedented pace, while homes get smarter and technology becomes an even bigger part of our lives.
Being connected 24/7 raises security questions, especially with a technology that continues to improve at a moment’s notice. Anything connected to the internet is vulnerable to cyberattacks. According to the 451 Research team, a group of expert IT analysts, found out 55 percent of IT professionals list IoT security as a top priority. Cybercriminals can find a way to exploit information at different points within an IoT ecosystem, whether it be a corporate server or simple cloud storage.
IoT cybersecurity deals with the technology area that protects connected devices and networks within the internet of things (IoT). IoT cybersecurity has become a hot topic due to multiple high-profile incidents concerning infiltrations and attacks from simple IoT devices. Implementing security measures is vital to ensure that IoT devices are working for instead of against their intended use.
Background to IoT Devices
IoT is simply the collection of devices that connects to the internet. It can be as basic as your smart home devices like televisions, speakers, thermostats, and phones linking and working together. IoT refers to all connected devices that connect to the internet. In reality, almost anything electronic can potentially connect to the internet, making it an IoT device.
Why is it important and seem so hyped? Consumers and business owners realize just how many applications IoT has and how it can impact businesses and daily living. IoT paves the way for more affordable ways to build advanced electronic devices. Wi-Fi hot spots are becoming more commonplace, and almost everyone can afford smartphones, which connect to diverse personal IoT devices like smartwatches, headphones, and medical tools. This transformed IoT into the mainstream rather than IT jargon. Today, it’s a term every business owne MUST know.
The IoT Cybersecurity Improvement Act of 2020
In October of 2020, the House of Representatives passed the Internet of Things (IoT) Cybersecurity Improvement Act of 2020 originally introduced in 2017 by U.S. Senators Cory Gardner and Mark Warner. The legislation was created to set minimum security standards for all IoT devices purchased by government agencies. The bill had 26 co-sponsors, representing Democrats and Republicans, and enjoyed bipartisan support in a political era that has not seen much lately.
The Internet of Things Cybersecurity Improvement Act of 2020 was signed into law on December 4 by then President Donald Trump, resulting in the first federal regulation of the Internet of Things (IoT).
Per-country IoT Law Impositions
On December 4, 2020, President Donald Trump signed the IoT Cybersecurity Improvement Act of 2020, Pub. L. No. 116-207 (the “IoT Act”) into law. This new law’s legislative purpose is to ensure high-level cybersecurity at federal agencies by collaborating within government, industry, and academia.
California has another privacy law that can work alongside the new IoT law. California Senate Bill 327 was first proposed in 2018 and became effective in January.The California IoT law requires manufacturers of IoT/connected devices to equip the device with good security features that are:
- appropriate to the nature and function of the device;
- appropriate to the information the device may collect, contain, or transmit; and,
- designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure
The U.K. government announced a mandate promising new requirements for IoT manufacturers in 2019. It includes improvements around unique device passwords and policies around security updates. IoT is a term given to everyday objects which are connected to the internet. Other terms used in connection with the IoT include smart objects, connected devices, machine-to-machine (M2M) technology, the internet of services, the network of networks, sensor networks, and pervasive computing or ubiquitous computing. This definition of IoT device also includes equipment like heating and air-conditioning systems that connect to the internet. This definition excludes computers, laptops, tablets, and smartphones, which are considered conventional IT devices as defined in 40 U.S.C. § 11101.
While the U.S. code refers to operational technologies using the definition of industrial control systems, operational technologies were not explicitly defined. The IoT Act introduced a definition for Operational Technology with this meaning: hardware/software that detects or causes change via direct monitoring or control of physical devices, processes, and events in the enterprise. The Computer Security Act of 1987 provided NIST with a mission to develop standards and guidelines, including minimum requirements, for information systems utilized or operated by agencies or by contractors of agencies.
The 2015 National Defense Authorization Act revised the U.S. Code to mandate all non-defense contracts for the procurement of information technology must be checked by the respective federal agency’s chief information officer. 40 U.S.C. § 11319(b)(1)(C).
Information Systems were defined in the Paperwork Reduction Act of 1995 to mean “a discrete set of information resources organized to collect, process, maintain, use, share, distribute, or dispose of information;” 44 U.S.C. § 3502.
Security Vulnerabilities are defined in the Cybersecurity Information Sharing Act of 2015 to mean “any attribute of hardware, software, process, or procedure that could enable or facilitate the defeat of a security control.” 6 U.S.C. § 1501(17).
The Impact on Federal Government
The IoT law requires the National Institute of Standards and Technology (NIST) to start developing and publishing baseline standards and guidelines for the federal government usage and management of IoT devices connected to information systems. NIST has been addressing IoT cybersecurity previously, but now they’re also required to circulate minimum information security requirements to manage cybersecurity risks that come with such devices.
The following are the new standards and guidelines that NIST must start imposing:
- Vulnerability identification and management;
- Secure development;
- Identity management;
- Patch management; and
- Configuration management.
Additionally, NIST will be responsible for publishing IoT vendors’ guidelines about disclosing security vulnerabilities and distributing information about resolving these issues. NIST will review and revise, as appropriate, the existing standards and guidelines every five years. The Office of Management and Budget (OMB) afterward shall update any policy or principle to ensure consistency with NIST revisions.
NIST is tasked with developing and publishing guidelines for all agencies, contractors, and subcontractors about security vulnerabilities. The OMB will serve to develop and supervise the execution of policies, principles, standards, or guidelines as needed to address security issues of information systems.
Agencies are prohibited from procuring, obtaining, or using an IoT device if they found out during the review of a project that the use of a device fails to comply with standards and guidelines, subject to a waiver is needed for national security, for research, or where such project is acquired using alternative effective methods. Also, the Government Accountability Office shall report to Congress on other related IoT efforts.
While the law technically applies only to federal government procurement, NIST’s standards and guidelines will have the potential to impact state law and private sector practices. For example, many IoT devices purchased by the federal government that meet the NIST-based standards will be sold to the private sector. Practically, the NIST standards may have a broader effect on security practices throughout the IoT industry.
Economies of scale need to push their manufacturers to create protection for their IoT devices, regardless of the end-user. The IoT Act also sets a crucial set of standards, which nations and industry-standard organizations can adapt or copy. These scenarios are welcome steps to boost IoT devices’ security, which will lead to the importance of design factors, particularly when they’re linked to high-priority networks, like those used in government facilities.
What Do Cyber Executives Say
Cybersecurity experts commended the new IoT law’s alignment with existing standards and best practices, along with its meaning for IoT devices – which, as everyone knows, have long beset by security and privacy issues. The act will allow the federal government to lead by example in implementing basic IoT security standards and best practices for all devices it will purchase and manage, ultimately driving contractors’ adoption of standards-based coordinated vulnerability disclosure processes.
“The application layer of most IoT technologies is critical to its successful implementation, providing the ability to install, operate, manage and update the device as well as connect it to other integrated systems. These applications are no less susceptible to security vulnerabilities than traditional web or mobile applications, and this new legislation puts forth a requirement for identifying and communicating such vulnerabilities.” – Peter Monahan, Director, Global Solutions Architecture at WhiteHat Security.
“The rapid, and ongoing, expansion in the Internet of Things (IoT) is undoubtedly making our lives more efficient and productive – and it will most likely continue to do so in the coming years’ thanks to the gradual deployment of 5G connectivity. However, connecting these devices to our private corporate networks expands the attack surface and potentially exposes sensitive data such as medical records, personally identifiable information, and workplace plans.” – Stefano De Blasi, Threat Researcher at Digital Shadows.
“While this is to be applauded, it appears that the bill’s initial focus is only on IoT devices procured and used by the Federal government. He adds, “While IoT devices used on government networks are important, legislation mandating the security of all IoT devices would have gone further in providing a more comprehensive approach to IoT device safety. This may create increased sales for companies as they may introduce “Government” grade IoT devices that will cost more. It will be interesting to see if companies improve the security of their consumer-grade products as a result of this standard.” – Terence Jackson, Chief Information Security Officer at Thycotic.
Summary of IoT Cybersecurity Improvement Act of 2020
The IoT Act will undoubtedly cause the greatest impact on businesses selling IoT devices and services to the federal government, at least in the near-term. Nevertheless, these comprehensive IoT security requirements will be a fundamental shift in U.S. law that historically applied the model to data privacy and cybersecurity. After these standards are set, they will set the stage for contractual obligations and/or industry standards for all manufacturers of IoT devices offered to the private sector. Similarly, this new federal law’s effect could be far-reaching and transformative in the industry.
The new IoT law’s importance can’t be overstated from a cybersecurity standpoint. IoT vulnerabilities are regrettably still a common threat that causes denial-of-service attacks or door to data breaches. What’s crucial is how much impact this new federal law will have on consumer IoT devices. Right now, we’re still observing it since the law is originally designed to apply only to federally-owned or controlled IoT devices. But the hope is that by increasing cybersecurity for IoT devices owned or controlled by the federal government, manufacturers of such devices will use this same secure technology and standards in the development of consumer IoT devices.
Read our article about The Challenges of IoT Security.
As we wade through 2021, we need to continue to adapt and combat cyber risks through planning, preparing, and educating. Because it is a universal issue, honest communications between corporations, regulators, and policymakers are vital to success. Until security features become integral to technology – seamless, transparent, and naturally usable by people – we must support the new IoT Cybersecurity Improvement Act and our leadership to pay serious attention to cybersecurity.
About Voler Systems
Located in Silicon Valley and with more than 40 years of electronic design experience, Voler Systems continues to be a leading custom product design consulting company providing high-quality electrical engineering and firmware development. Voler Systems ensures delivery of quality products, on time, on budget with low risk. All projects are undertaken with good specifications, the right people, quality design, constant communication, and a smooth transfer to manufacturing.