The IoT Cybersecurity Improvement Act of 2020, signed into law in December of that year, requires government agencies to ensure the security of their IoT devices. Several states, including California and Oregon, have already passed IoT cybersecurity laws. This new act will have a much wider impact and affect how devices are manufactured across the board, since industry and other levels of government tend to follow federal security requirements.
Regulatory agencies and standards bodies have proposed new guidance for IoT devices in accordance with the new legislation. Manufacturers should be aware of these changes to avoid penalties or fines, keep their devices safe and do business with government agencies handling sensitive data. If a device is insufficiently protected — which depends on different security measures in different contexts — it leaves an organization at risk.
Going forward, manufacturers will have to prove their devices are safe and comply with the new security and privacy standards. Complying with these mandates will be a challenge, so manufacturers will need guidance on the security and viability of their IoT products.
The changing landscape
IoT devices, which include smart home and personal devices, medical devices, air quality sensors, smart traffic lights, biometric security scanners, industrial control systems and more, play an important role in organizational operations and people’s everyday lives. However, they also expand the attack surface and cause a wide range of negative impacts — from annoyance to physical harm. For example, attackers can use search engines to locate devices connected to the internet — a function intended for infosec professionals but widely used by criminals. The attackers can then find unprotected IoT devices, exploit their weaknesses and get into a network to steal data or cause other damage.
The Mitre Corp. last year added hardware security weaknesses to its Common Weakness Enumeration list, which, for 15 years, only had targeted software weaknesses. The expansion of the list was due to the growing importance of IoT hardware security, as well as to enterprise IT and operations. Hardware is better regarded as part of the attack surface.
A pivotal document for IoT security is NIST Interagency/Internal Report (NISTIR) 8259 — a collection of publications, many still in draft form, that cover IoT device security in the federal government. NIST’s standards and guidance documents are often followed throughout government and industry.
NIST Special Publication (SP) 800-213 (Draft) defines the concepts of risk, architecture, controls, interactions and other factors that impact the security of IoT devices within a federal information system. Instead of including actual controls, it outlines steps to build a process. NISTIR 8259A, which is in its final form, offers manufacturers guidance on IoT device cybersecurity. It includes six requirements that can be mapped to other standards, such as those from the European Union Agency for Cybersecurity, Cloud Security Alliance and IoT Security Foundation.
Also included in the initiative, NISTIR 8259C advises manufacturers on how to customize device controls for government use. Meanwhile, NISTIR 8259D offers guidance to manufacturers and integrators on how to work with federal agencies by applying the methods in NISTIR 8259C and the security controls in NIST SP 800-53B to IoT deployments.
Companies should also be aware of more than just NIST regulations. State laws designed to protect the privacy of residents, such as California’s Senate Bill 327, must be considered, too. It can be difficult for companies to alter their products for specific states, so it is best to adhere to the strictest law. This is how state laws, such as CCPA, are raised to the national level. Companies should also be aware of international regulations, such as GDPR and privacy laws being developed in the U.K.
Compliance is necessary
Threats to IoT devices have always existed, but the risk to attack surfaces is increasing as devices become more capable and cloud networks become more interconnected. As new regulations take effect, compliance will become a huge part of any organization that makes IoT devices and markets them internationally. Organizations will need a compliance program and a chief compliance officer to ensure secure products.
The penalties for noncompliance will vary. States such as California, for instance, have a wide margin for determining penalties for privacy violations. Compliance will be mandatory for all companies looking to work with federal agencies or any of the corporations, institutions or other government organizations putting an equal emphasis on security.
About the author
Farbod H. Foomany is a senior technical product manager — previously, technical lead and senior security researcher — of security content research at Security Compass. He holds a bachelor’s degree and a master’s degree in electrical and computer engineering and a Ph.D. with a focus on criminological and security applications using biometrics. Foomany has been involved in academic research and industry projects in the areas of smart card Java application development, Java EE-based enterprise e-banking application development, privacy and security in software development, secure design of enterprise applications, advanced signal processing techniques in speech and sound processing, biomedical engineering, and evaluation of the social and privacy aspects of biometric identification. His most recent projects in cybersecurity include the development of security requirements for IoT devices and protocols, security of connected and autonomous cars, and privacy aspects of cloud computing.