On December 4th, 2020, the “IoT Cybersecurity Improvement Act of 2020” became law. The bipartisan legislation sets a minimum security standard for IoT devices that the US government procures. In an increasingly rare act of bipartisanship, the bill was “passed by unanimous consent” in both the House of Representatives and the Senate, demonstrating the importance of IoT security.
The law requires the following:
The National Institute of Standards and Technology (NIST) must develop “standards and guidelines for the Federal government on the appropriate use and management by agencies of Internet of Things devices.” The guidelines NIST will develop applies to IoT devices owned and controlled by the US Federal government and associated agencies. The guidelines must provide guidance on secure development, identity management, patching, and configuration management. Included in this is a requirement for developing guidelines for discovering and disclosing vulnerabilities in owned/controlled IoT devices.
After the NIST releases the standards and guidelines, the Director of the Office of Management and Budget (OMB) will review the policies and principles of Federal civilian agencies to make sure that they meet the NIST guidelines. To note: that review will also require coordination with the director of the Cybersecurity and Infrastructure Security Agency (CISA)
The purchase rules for obtaining and owning IoT equipment must be updated in line with the NIST guidelines. Additionally, government agencies cannot purchase an IoT devices if that device does not meet the updated NIST standards.
While this is the first major step at the US Government Federal level towards placing a minimum set of security standards into IoT devices, it follows a number of other government actions, including:
The 2020 United Kingdom Government response to the Regulatory proposals for consumer Internet of Things (IoT) security consultation
California’s cybersecurity law SB-327, effective January 1, 2020
European Union Agency for Network and Information Security (ENISA) 2017’s baseline security recommendations for IoT devices.
These recent movements are encouraging. But are they enough? The answer is going to depend on who you ask. While some would say that these guidelines are sufficient, most industry experts would offer that no, none of these laws go far enough. Let’s explore that:
The new law mandates identity management. “If you can’t trust a device, how can you trust the data coming from it” – that phase is often repeated in the security community, and it’s very relevant here. Before an IoT device is ever connected to a network, it should be identified (authenticated). Further, the identity of the device needs to continue to be authenticated throughout its lifetime. The question here is to what level that identity management will be taken? Some identity management methods involve the device maker pinging the device at set up and performing a very basic self-check. Would those self-checks be able to catch an instance of malicious firmware being inserted somewhere in the design? And how far does, and should, identity management requirements go? Seemingly missing in these laws are supply chain traceability – with the threat models of IoT devices increasing, device makers need to be aware that nefarious parties may be seeking to infiltrate supply chains with counterfeit chips or insertion of rogue hardware.
Some might argue, is there really a need for significant security deployments in basic IoT devices? Let’s talk one of the simplest implementations: the connected light bulb. If a hacker was able to infiltrate a home light bulb, they would gain an understanding of your occupancy patterns; when you are home, and when you aren’t. How about a high-rise building where are the lights are connected? A hacker being able to turn off all the lights in a tall building presents a risk to human safety.
Now, imagine if a manufacturer-wide security flaw was discovered that allowed a nefarious party to shut off all the brand’s lights worldwide in a ransomware attack. The financial, brand, and safety risks of these are significant. That was just the light bulb case. Extrapolate those risks to more significant IoT equipment: cameras in government-sensitive areas, stop lights at busy intersections, elevators, or HVAC equipment. The risks are many, and the threat models grow more extreme as the number of connected devices around us rises.
The recent government actions are a great first step, but much, much more is needed. Hopefully, IoT device manufacturers see these laws not as the minimum bar to meet, but rather a baseline on which to build upon significantly.