A universe of devices and technology has fallen into our laps at a speed that organizations struggle to manage effectively. And that boom in devices shows no signs of stopping. In 2019, there were an estimated 9.9 billion Internet of Things (IoT) devices. By 2025, we expect 21.5 billion. As more information about IoT device vulnerabilities is published, the pressure on industry and government authorities to enhance security standards might be reaching a tipping point.
Last month’s passage of the IoT Cybersecurity Improvement Act of 2020 means all IoT devices used by government agencies will soon have to comply with strict NIST standards. While it’s a progressive step for the network security of the U.S. government, standards will not apply to the IoT market at-large. However, many are hopeful that this security update will trickle out to all IoT vendors and devices.
We start with the most critical information–what, if any, implications this has for the IoT universe. The draft guidelines published by NIST are still in the public comment period, so we break down what IoT device standards will include. Lastly, we touch on the political rationale of how the landmark IoT cybersecurity legislation came to be.
Implications for IoT devices
If you’re not currently a vendor for a government agency, you might be asking how this law applies to your products or business. It won’t affect your organization in the short term, but it could ultimately become the industry standard.
The co-chairs of the Senate Cybersecurity Caucus, Sen. Mark Warner (D-VA) and Sen. Cory Gardner (R-CO), released a joint statement applauding the bipartisan passage of the bill, saying in part: “Leveraging the purchasing power of the federal government, the bill will ultimately help move the wider market for IoT devices towards greater cybersecurity.”
And there it is for IoT vendors at-large; this regulation isn’t just about meeting the government contractor standard. Security standards will likely grow for all IoT devices.
Some cybersecurity analysts point to the success of the National Institute of Technology and Standards (NIST) guidelines for implementing mobile security of smartphones and tablets across the federal government and beyond. What has yet to be seen is how successful this approach will be in increasing universal IoT security standards.
For non-government vendors currently in the IoT market—and therefore not affected by this law—you may start to consider adopting the NIST standards. After all, the benefit is to market your IoT product line as meeting federal compliance guidelines for security. For vendors who do take the time and resources to boost their product security, the result can also mean happier, more trusting customers and users.
Breaking Down the Bill’s Impact
For any IoT device vendors currently contracted by the government, this is what we know so far from the National Institute of Standards and Technology (NIST):
Four draft guidelines under consideration:
- SP 800-213: guidance to federal agencies for acquiring and using IoT devices
- 8259B: ensuring IoT devices contain non-technical supporting capabilities
- 8259C: profile using the IoT core and non-technical baselines guidance
- 8259D: profile using the IoT core and non-technical baselines for federal information systems
While SP 800-213 applies to federal agencies, the latter three are specific to IoT manufacturers.
In the next section, we take a more in-depth look into what NIST presents in this foundational guidance and new standards.
Also Read: 5 Essential IoT Security Best Practices
Coming Soon: NIST Standards
In the lead-up to the IoT Cybersecurity Improvement Act, the NIST released two core foundational documents regarding IoT device management for agencies. With the bill’s signing, NIST has the mandate to address secure development, identity management, patching, and configuration for IoT devices.
Guidance for Manufacturers
In May 2020, NIST released two foundational documents that serve as a foundation for the newly created guidelines.
Foundational Cybersecurity Activities for IoT Device Manufacturers (8259): Targeted at manufacturers, 8259 touches on how IoT devices often lack proper cybersecurity components. With a need for more substantial cybersecurity functionality and user information surrounding vulnerabilities, this document has recommendations for how vendors can mitigate their customers’ breaches.
IoT Device Cybersecurity Capability Core Baseline (8259A): This document details the specific security components IoT devices need to support standard cybersecurity controls. To be used in conjunction with the first foundational document, the “Core Baseline” guidelines help vendors identify security capabilities for new IoT devices they manufacture, integrate, or acquire. Cybersecurity capabilities needed for potential IoT devices include:
- Device identification
- Device configuration
- Data protection
- Logical access to interfaces
- Software updates
- Cybersecurity state awareness
To Be Finalized: New Guidelines
On December 15, 2020, the NIST published the following four guidelines to offer manufacturers and federal agencies a full picture of IoT devices’ security posture.
IoT Device Cybersecurity Guidance for the Federal Government (SP 800-213): Intended for IT professionals who assess, apply, or maintain security on a federal information system, this document details IoT devices’ systems and elements; how IoT devices support safety; and the challenges they present. The document then elaborates on important considerations and defines security requirements for IoT devices’ and their use cases. Questions agency network administrators need to ask include:
- What is the benefit of this IoT device, and how will it be utilized?
- What data is collected?
- In what technologies will the data be stored?
- In what geographic areas will the data be shared/stored?
- With what other third parties will data from, or about, the IoT devices be shared/stored?
Once agencies have these answers, they’ll need to address the following questions about how their IoT devices interact with network applications and systems:
- Might the device interfere with other aspects of operations or system functionality?
- Would the IoT device introduce unacceptable risks to the agency, or result in non-compliance with cybersecurity requirements?
- Is the IoT device known to have had published security and/or privacy vulnerabilities?
IoT Non-Technical Supporting Capability Core Baseline (8259B): This targets IoT manufacturers and outlines required non-technical supporting capabilities. Specifically, 8259B covers the device in question’s documentation, information and query reception, information dissemination, and education on the manufacturer’s part.
- Documentation. All devices acquired will need proper documentation of common uses, lifespan, cybersecurity capabilities, IoT platforms used in the development, and maintenance requirements (e.g., patch management).
- Information and query reception. Manufacturers need to be able to receive queries related to customer information like bug reporting and respond appropriately.
- Information dissemination. Devices need the capability to receive manufacturer delivered alerts or updates related to security. Alongside this capability, manufacturers will provide procedures for risk assessment and notification of security-related events.
- Education and awareness. This fourth requirement for non-technical supporting capabilities is a commitment by vendors to educate and create awareness among its users about the security information, consideration, and IoT devices’ features.
Also Read: IoT Security Begins with Risk Assessment
Creating a Profile Using the IoT Core Baseline and Non-Technical Baseline (8259C): This second vendor-facing guideline document goes into creating profiles using the IoT device cybersecurity and non-technical supporting capability baselines. The three central concepts discussed to create that profile are device-centricity, cybersecurity focus, and minimal securability.
- Device centricity. As organizations acquire an increasing number of IoT devices, they need to become elements of the existing system.
- Cybersecurity focus. In addition to cybersecurity, use cases need to emphasize safety, privacy, reliability, resilience, and operation environment.
- Minimal securability. This concept requires that IoT devices be minimally securable, where clients can mitigate common cybersecurity risks.
Manufacturers can visualize the use case profile for the NIST baselines by completing a three-step process:
- Identify and gather source documents that apply to use cases for IoT devices.
- Address how these documents address the three central concepts.
- Apply the three concepts to source documents to create a profile.
Profile Using the IoT Core Baseline and Non-Technical Baseline for the Federal Government (8259D): The fifth in the 8259 series serves as the presentation of the federal profile for using IoT devices. Manufacturers and organizations are encouraged to use it as a starting point for determining whether their product line support system and organizational security goals. While previous documents mentioned a handful of broad capabilities, the federal profile includes 40 sub-capabilities for IoT devices. Some of these sub-capabilities include:
- Event identification and monitoring
- Device configuration control
- Cryptographic key management
- Audit log storage & retention
- Authentication & identity management
- Secure code execution
Also Read: Top Vulnerability Management Software
Purpose and passage: IoT regulation
With the boom in IoT devices, fear over vulnerabilities and insecurity has spread to organizations’ highest levels. As a result, the drive to regulate the acquisition and use of IoT devices has been a few years in the making. We look at why IoT has the spotlight, the landmark legislation, and why it received bipartisan support.
Why regulate IoT security?
Gartner defines the Internet of Things (IoT) as the network of physical objects that contain embedded technology for communication internally or externally. These internet-connected devices have found a way into every aspect of our lives, and in large part, have been an incredible innovation. However, the boom of IoT devices has also brought a creeping fear of mass vulnerabilities. IoT devices can be critical tools ranging from smart appliances to industrial sensors yet often have limited security features or challenging to patch.
A notable example cited in the debate of the legislation was the Mirai attack in October 2017. Using 61 username-passwords that were standard defaults for IoT devices, attackers could access hundreds of thousands of unsecured IoT devices. The Mirari botnet, a massive DDoS attack, left the internet inaccessible for much of the eastern U.S. In 2018, Defense Intelligence Agency Director Rober Ashley called the exploitation of IoT devices one of the two “most important emerging cyber threats to national security.”
Landmark IoT Legislation
First introduced in March 2019, the IoT Cybersecurity Improvement Act moved through the U.S. House and Senate chambers in the fall of 2020 and was signed into law on December 4, 2020.
The seven-page bill outlines the timely importance of increased cybersecurity standards for government-used IoT devices. By empowering the NIST to develop and publish IoT security policies, the Office of Management and Budget (OMB) will ensure all government agencies adapt to the new standards. Any devices not meeting the new compliance guidelines would be prohibited for government business as soon as 2022.
Bipartisan Support for Security Enhancement
Support for the landmark IoT legislation came with broad bipartisan support. In the U.S. House of Representatives, the bill was sponsored by Rep. Robin Kelly (D-IL) and Rep. Will Hurd (TX-R) and passed by a voice vote. In the Senate, the measure passed by unanimous consent.
During the debate, Congressman Kelly noted that this legislation “aims to address supply chain risk to the Federal Government stemming from insecure IoT devices. By establishing light-touch, minimum security requirements for procurement of connected devices by the government, this bill has two main focuses: ensuring the government is purchasing secure devices and resolving critical vulnerabilities to existing devices.”
Congressman Hurd added, “If our security practices for using the Internet of Things does not evolve as our use of it grows, then we will find out how innovative criminals, hackers, and hostile foreign governments can be… We can take advantage of technology before it takes advantage of us.”
Long-term: IoT guidelines will be precedent
It’s just a matter of time. With the flood of IoT devices upon our homes and organizations, increased demands on security surrounding IoT are inevitable. The U.S. government’s decision to act on internal IoT vulnerabilities is a step in the right direction for network security. For the time being, it is impossible to say how quickly the broader market of IoT vendors will adapt to NIST’s standards. Rest assured, market demand for more robust security will eventually push organizations to meet this new precedent for all IoT devices.