President Biden's recent executive order on cybersecurity garnered attention for its broad efforts to boost the nation's overall security posture, but it also includes calls to action intended to improve IoT defenses.
The White House issued the May 12 order following a ransomware against Colonial Pipeline that shut down fuel distribution along the East Coast, leading to local gas shortages and disrupting U.S. economic activity. According to reports, the hackers used a compromised password to access corporate systems via a virtual private network account.
To help prevent future attacks like that, the order spells out specific steps to address vulnerabilities within the country's IT infrastructure, including IoT devices and IoT deployments. The order also requires more transparency within the IT supply chain and mandates information-sharing around cyberthreats.
Security leaders have applauded Biden's attention to cybersecurity, saying that the order brings a new sense of urgency to the issue and has the capacity to increase cybersecurity not only within the federal government but across the private sector, too.
Moreover, the order could boost security in information and operational technologies, as well as IoT, which has become increasingly vulnerable to attacks as the number of connected devices explodes.
"The executive order will accelerate the process of IoT security. It brings more attention to the need for some changes and for more guidelines and tools to more effectively manage, maintain and secure IoT environments. And it could help by creating more consistent rules," said Stephanie Benoit-Kurtz, a veteran enterprise security executive who, as lead faculty at the University of Phoenix's College of Business and Information Technology, is working on an IoT-focused doctorate.
How the order aims to improve security
The executive order specifically addresses IoT by calling for the National Institute of Standards and Technology to:
- start pilot programs to educate the public on the security capabilities of IoT devices and software development practices, as well as to develop incentives to get device manufacturers and developers to participate in the programs; and
- identify IoT cybersecurity criteria for a consumer labeling program that will help consumers understand the relative security of IoT devices.
Although the executive order addresses IoT in part, most of it focuses on cybersecurity more broadly.
In fact, in issuing the order, Biden cited not only the Colonial Pipeline attack but also the late 2020 SolarWinds hack and the January 2021 Microsoft Exchange breach.
"These incidents share commonalities, including insufficient cybersecurity defenses that leave public and private sector entities more vulnerable to incidents," the White House said.
The order seeks to improve security overall by calling for:
- more information-sharing about threats between the federal government and private sector entities by removing contractual barriers and requiring IT service providers to share certain breach information;
- the federal government to move to secure cloud services and a zero-trust architecture, with mandates to deploy multifactor authentication and encryption;
- the establishment of security standards for developing software intended for government use, including providing greater visibility and making security data publicly available;
- the establishment of a program for labeling software security to drive built-in security in the market, calling for something similar to the Energy Star labels identifying how energy efficient products are;
- the creation of a Cybersecurity Safety Review Board to convene following significant cyber incidents to analyze what happened and make recommendations based on lessons learned;
- the creation of a playbook or template on how to identify and respond to cyber incidents and threats; and
- the enablement of a governmentwide endpoint detection and response system and improved information-sharing within the federal government as well as improved investigative and remediation capabilities.
Stephanie Benoit-KurtzLead faculty, University of Phoenix's College of Business and Information Technology
Order influences both public and private sector
Biden's executive order most directly affects federal agencies, as it directs them to modernize their technology and security practices. It will also push vendors that provide products and services to the U.S. government to meet the higher security standards.
Just as significantly, though, experts said that the private sector will be pushed to improve security because vendors, having adopted higher standards to meet federal requirements, will likely carry those standards to other customers throughout various industries.
"A large swath of hardware and software vendors will be brought in and will have to up their game," said Saurabh Bagchi, a professor in Purdue University's School of Electrical and Computer Engineering and its Department of Computer Science.
The work ahead
Although Biden's order has elements specifically aimed at improving IoT security, experts said there are significant hurdles to overcome to improve.
To start, IoT hardware doesn't always support advanced security protocols, Bagchi said, explaining that their small form factors make long passwords, fingerprint sensors and other advanced authentication mechanisms difficult to include.
At the same time, IoT use cases with the need for speed and low latency discourage the addition of strong authentication requirements that would slow the total time needed for the devices to connect to networks and share data, he said. And the need for low-power devices also disincentivizes the use of security measures that would suck up energy.
Additionally, a relatively small number of vendors provide microcontrollers for IoT devices, which means one vulnerability can affect security across vast numbers of devices, Bagchi said.
He noted, too, that IoT devices are vulnerable to physical tampering because they're often in locations accessible by many people or the public in general -- such as connected security cameras -- or they're in remote places where someone could easily get to the devices without witnesses. Biden's executive order doesn't necessarily address that security risk.
In fact, some questioned whether Biden's order will have a significant influence on IoT security.
"It will have a limited effect," said Michael Perreault, senior security solutions architect for cloud and data center transformation at IT services and solutions firm Insight. He said he expects the executive order will only change security standards for IoT deployments within the federal arena.
However, Perreault stressed that the ability to improve IoT security already exists within enterprises.
"The dangers for IoT are directly related to how companies use IoT in their environments. It all comes down to risk -- how you're using the device, what it's attached to. And people who are doing a good job at risk management have little issues," Perreault said.
While vendors of IoT components -- whether hardware or software -- do have a role to play in boosting security, Perreault said it's up to enterprise IT and security leaders to evaluate risk and put in the mitigations they believe are appropriate as they should do for all types of technologies.