New IoT Cybersecurity Improvement Law is a start, not a final solution
The good news for IoT is this: Adoption just keeps humming along.
Researchers predict there will be 41.6 billion IoT devices in the field by 2025, according to an IDC forecast, and over $1 trillion spent on them by 2023, according to an IDC report. But these growth numbers cover up a more pressing concern: Commotion about IoT’s vulnerability to cyberattacks hasn’t quieted down. If anything, it has gotten louder.
Lack of industry-wide cybersecurity standards, a surge in rogue connected devices and widespread risky remote work habits have created opportunities for hacks on IoT. IoT device infections doubled from 2019 to 2020, according to the Nokia Threat Intelligence Report 2020. With SolarWinds-like cyberattacks by nation states and well-funded and highly organized criminals granted free reign in many of the same states, security pros worry that the next big breach might come through a manufacturing sensor or a smart refrigerator.
The recent passage of the federal IoT Cybersecurity Improvement Act offers some hope. Some describe it as a long-awaited step forward for IoT security. But does it go far enough?
Understand how the IoT Cybersecurity Improvement Act applies
The new law requires that any IoT device purchased with government money meet minimum security standards. It creates standards and guidelines to manage cybersecurity risks in several key areas: secure development, identity management, patching and configuration management. It also publishes guidelines for reporting and remediating vulnerabilities.
The problem is that the law applies only to government purchases of IoT-related gear. It doesn’t affect private sales, it has no enforcement mechanism, and it doesn’t directly address the multi-party system for IoT components in the supply chain, systems integration and ongoing operations once deployed, the real issues that created enterprises’ concerns over IoT’s security strength in the first place.
As IoT devices diversify, adding new capabilities and price points, manufacturers feel pressure to rush devices to market. This can create a temptation to cut corners to maintain profit margins. And, as vendors abandon siloed device platforms to shift to newer connected versions, this can leave many devices vulnerable to attacks.
Even for new IoT devices, the problem is a maturity of the software tool chain, deployment and the fragmented IoT market. IoT software developers’ tools don’t necessarily have built-in security. These developers are not as savvy when it comes to security knowledge, and corporate IT is often not involved once the code moves across or is developed on the other side of the operational technology to IT dividing line. For example, security software for enterprise IT application development, testing and deployment is mature, but most vendors are still working out their offerings for IoT.
Enterprise developers are more cautious and in closer consultation with their security counterparts, and big enterprises with large software teams generally have a Security Program Management Office and Center of Excellence. This is not true of smaller companies or those that are not on the forefront of software development. They don’t see security vulnerabilities as a major liability and have mechanisms in place for defendable indemnification.
The new law pushes IoT security in the right direction
The IoT Cybersecurity Improvement Act does give some attention to establishing non-generic credentials for each device on the network. It will make sure IoT developers are forced to put in notification to downstream integrators and end-users regarding credentials and security risks. This reminds end-users to be vigilant and developers that they may be on the hook.
Some experts say it may discourage IoT devices from coming in through shadow IT channels. This may be a pipe dream, though. The best things IT departments can do are to assume at some point a successful breach will occur, prepare in advance for breaches and mitigate the impact.
Some of the pressure to identify and report security vulnerabilities for IoT devices could fall to the providers of these devices. This, too, is a tall order. Of course, IoT device vendors should provide minimal compliance through exposure of security related information through agreed upon open standards as well as locally storing a periodic synopsis of that information for future reference at audit points or post-infiltration analysis. But comprehensive IoT security is a function of continuous diagnostics and monitoring of a specific and complex environment that the device manufacturer in most cases has little to do with. In other words, vulnerability reporting should be a shared burden across the ecosystem. Putting the burden on a single party may be easier, but it will only increase the likelihood of breaches and a false sense that you can simply hold the IoT device manufacturers responsible for everything. They won’t held responsible for everything.
The law will ensure that IoT devices are properly protected before they are connected to high-priority networks, such as those used in government facilities or critical infrastructure. Over the last 40 years, an increasing number of government facilities have been privatized and allies are part of our networks. There is no cybersecurity moat around a government facility. In some sense, Homeland Security got that message and really expanded the security community for critical infrastructure to public, private and even international networks.
Lastly, the new law sets a precedent that should inspire other countries and organizations to follow. Like with climate change, dealing with security vulnerabilities, in particular zero-day attacks on IoT, will need to be a global partnership. An “America First” policy doesn’t work for security.
What can companies do to ensure they’re complying with the new regulations? Here are a few tips.
- Find out what devices are connected and how they’re communicating with other devices, systems and applications. Those connections need to follow proper security protocols and continuous monitoring out to edge IoT devices.
- Test each device to understand behavior and risks, collecting consumable information in agreed-upon industry standard formats.
- Generate policies to allow only sanctioned communications, minimum auditing and governance requirements in a dynamic, continuous monitoring and diagnostics that extend from OT back into traditional IT domains as outlined in the NIST Cybersecurity Framework.
IoT cybersecurity faces a number of challenges in the coming years. Many of the cultural issues that remain will take time to work out. The new IoT cybersecurity law won’t solve the major challenges overnight, but it’s a good start at getting device manufacturers, end users and regulators on the same page.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.