When the House of Representatives voted in favor of the IoT Cybersecurity Improvement Act of 2020 on September 14, it acknowledged that securing the Internet of Things (IoT) is a matter of national importance. As written, the bill affirms the risks inherent with accelerated use of internet-connected devices and calls for cooperative efforts between government, industry and academia.
It also establishes a hierarchy of responsibility for protecting federal agencies against cyberattacks that starts with the executive branch, “followed by the Office of Management and Budget [OMB], the Secretary of Homeland Security and the head of each such agency,” while directing the OMB to oversee the creation of IoT security standards by the National Institute of Standards and Technology (NIST). Federal agencies and suppliers would be required to use only devices meeting prescribed standards and notify agencies of any known vulnerabilities affecting devices used.
On the legal site Lexology, the law firm Gordon Rees Scully Mansukhani says devices covered under the Act are defined as “a physical object that is capable of being in regular connection with the Internet or a network that is connected to the Internet, and has computer processing capabilities of collecting, sending or receiving data.”
The bill was written in response to major distributed denial of service (DDoS) attacks, including one in 2016 in which the Mirai malware variant was used to compromise tens of thousands of IoT devices, orchestrating their use in overwhelming and disrupting commercial web services. The threat hit closer to home for the federal government in 2017 when it was discovered that Chinese-made internet-connected security cameras were using previously undetected communications backdoors to “call home” to their manufacturers, presenting a risk that what was visible to a camera’s lens was also visible to our geopolitical rivals.
In response, the 2019 National Defense Authorization Act (NDAA) was amended to prevent the use of Chinese cameras in Department of Defense facilities, including the removal of existing cameras by August of 2019. Bloomberg reported that compliance with the regulation has proven troublesome. It is unknown how many such cameras are in use throughout the DoD and, thus, impossible to know which may be of Chinese origin. Even those that are accounted for are difficult to locate or monitor for risky communications patterns.
How are potentially dangerous devices making their way onto the networks of our military installations? Unlike traditional information technology equipment, IoT devices are not built to be part of an organization’s communications infrastructure, but to take advantage of simple, ubiquitous connectivity, either through direct connection to a LAN or over a cellular or Wi-Fi channel. The goal is to add value to the utility of a device by allowing it to be monitored or controlled remotely.
As with security cameras, internet-connectivity is now a common feature of facilities management equipment like environmental controls, access control systems and elevators. Described as “shadow IoT,” these devices operate within an organization’s network but are outside of the view of those responsible for IT and security. Well-intentioned employees and contractors compound the problem by bringing their own connected devices into the workplace. In 2019 CSO Magazine reported that rogue IoT devices are a problem for 100% of organizations surveyed. My company has found Peloton bicycles, Tesla automobiles and vending machines connected to corporate networks and have even encountered medical devices being used to surf applications like Facebook and YouTube.
If passed, the IoT Cybersecurity Improvement Act would establish standards for a measured adoption of connected devices on federal networks and set an example for private industry by requiring manufacturers to take a security-by-design approach to connected devices. Simple precautions such as the use of unique passwords and segmented deployment can make new devices more secure, but as the DoD learned with its rogue security cameras, a law acknowledging a problem is of no help to those tasked with fixing the problem without enabling technical capabilities to enforce the policy.
Fortunately, those capabilities exist, and there is a corresponding application of that capacity that has proved effective at addressing the problem of shadow IoT. It consists of the following processes:
• Discover all devices. It is impossible for an agency to know whether it complies with any regulations if IT cannot tell exactly what is connected where. The first step is to conduct automated device discovery of the organization’s network. Without a comprehensive asset inventory, you cannot secure these devices. Understanding these devices at a granular level of make, model, software version, serial number, location and more is critical.
• Profile behavior and risks. Once discovered, devices must be profiled to understand behavior and risks. This includes baselining communications patterns so insights such as anomalous and malicious behavior, or device utilization details, can be tracked. Devices that exhibit vulnerabilities can also be identified.
• Automate action and policy enforcement. By understanding what the device is and how it behaves, policies can be generated and applied to allow only sanctioned communications or to trigger appropriate security policies. This is critical because many IoT devices have duty cycles far longer than typical laptops and computers, stretching 10 years or more in some cases. This means agencies and enterprises need to protect millions of vulnerable legacy devices for many years after any law is passed. To protect all these IoT devices at scale, security policies need to be generated and automated to ensure maximum protection of both new and legacy devices.
The Government Accountability Office (GAO) recently found that 56 of 90 federal agencies that responded to its survey have adopted IoT devices to aid in their missions. As the experience with the DoD illustrates, exactly how many devices are in use and exactly where all those devices may be is unknown. It is almost certain that all federal agencies have some level of shadow IoT use present in their operations, whether they know it or not. Until the IoT Cybersecurity Improvement Act is passed — and backed up with the capacity to enforce its provisions — our government and the missions of its agencies remain vulnerable.