The Internet of Things promises a lot to companies of all types: better management of resources, better data analytics, far better insights into customer behavior, and more efficient business and operational processes.
But IoT security remains a nagging and growing issue that isn’t going to go away any time soon. It seems like every day a new IoT-related security law comes up, painting the picture of a world on the verge of a new cybersecurity crisis not unlike the one brought on by the explosive growth of the Internet.
IoT attacks increased 600% from 2016 to 2017. IoT security risks are particularly high in industries dealing with sensitive information, such as healthcare. Research firm Vanson Bourne reported that among 232 healthcare organizations they surveyed, 82% had experienced an IoT-focused cyber attack in the past year.
Companies and cyber security firms are scrambling to find the best ways to address securing an IoT ecosystem, including the development of new security protocols like microsegmentation, which allows companies to create secure zones in data centers and cloud deployments so that workloads can be isolated and individually secured.
Governments, as well, both local and federal, are stepping in with a plethora of new legislative efforts aimed at forcing organizations to shore up their IoT-based technology or face stiff fines.
Here’s a quick rundown of the most important of these new laws, followed by a quick explainer of what you as a company can do to comply with these laws and secure your IoT ecosystems.
The U.S. Internet of Things Cybersecurity Improvement Act of 2019
This brand new legislation from the United States Senate proposes to “leverage Federal Government procurement power to encourage increased cybersecurity for Internet of Things devices.” It was introduced by Sens. Mark R. Warner (D-Va.) and Cory Gardner (R-Colo.), co-chairs of the Senate Cybersecurity Caucus, along with Sens. Maggie Hassan (D-N.H.) and Steve Daines (R-Mont.).
At the same time the IoT Cybersecurity Improvement Act of 2019 was introduced, Reps. Robin Kelly (D-Ill.) and Will Hurd (R-Texas) along with 13 co-sponsors, floated a companion bill, H.R.1668, in the House of Representatives.
The press release accompanying the Senate bill’s introduction stated that the Internet of Things “is expected to include over 20 billion devices by 2020. While these devices and the data they collect and transmit present enormous benefits to consumers and industry, the relative insecurity of many devices presents enormous challenges. Sometimes shipped with factory-set, hardcoded passwords and oftentimes unable to be updated or patched, IoT devices can represent a weak point in a network’s security, leaving the rest of the network vulnerable to attack.”
The bill would encourage IoT manufacturers to build devices that are ‘secure by design’, meaning they have security features built into them from the beginning. It would achieve this
through the National Institute of Standards and Technology (NIST), which would put forth recommendations around secure development, identity management, patching, and configuration management for IoT devices and require that any internet-connected device purchased by the federal government comply with these recommendations. The bill would also require all contractors and vendors providing IoT devices to the U.S. government to disclose if a vulnerability is uncovered.
New UK IoT Security Laws
The UK and Singapore recently partnered to promote ‘Security by Default’ in both countries.
According to the official statement: “Both nations will adopt a multilateral approach by working with our partners, both internationally and regionally, including industry and consumer groups, to promote the implementation of good practice as set out in the relevant industry global standards. Implementing clear good practice principles from industry across all their consumer IoT devices will result in citizens and the wider economy is made safer and more secure whilst using their products.”
The UK also released a ‘Secure by Design” code of practice in October 2018. The code posits three key security requirements for IoT device manufacturers, required them to: 1. Create unique passwords for every device that cannot be reset to a universal factory setting; 2. Provide a public point of contact for the sake of vulnerability disclosures; and 3. Explicitly state the minimum length of time that a device will continue to receive security updates as part of an ‘end of life policy.’
California’s IoT Security Mandate
In September 2018 California became the first U.S. state to pass an IoT security bill. The bill, which goes into effect Jan. 1, 2020, requires all Internet-connected or "smart" devices offered for sale in California have "reasonable" security features that "protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure."
Critics of the bill say it’s too vague. Supporters say it goes far enough and given the size of California’s economy it will have a ripple effect on the rest of the country.
Internet of Things Security — What You Can Do
Clearly, IoT security is now top of mind not just for smart home and smart device owners but also for smart device manufacturers, brands, and retailers. The various ways hackers and cyber criminals can exploit IoT technology is extremely broad and scarily spread out. But if you’re a company looking to step into the smart home or IoT space, there are certain things you can do to ensure your devices are safe and compliant:
1. Use only “certified” vendors
That is, use only IoT ecosystem vendors whose devices and technology have they key security certifications, such as FCC, CE, and REACH. Their devices and technology should be fully compliant will all the key data regulations worldwide, or you will be asking for trouble by partnering with them.
2. Use advanced encryption
Make sure your IoT partners use advanced encryption techniques for their device ecosystems. This means using encryption technology like HTTPS, AES, and WAN. It’s even better if they have authentication to ensure data isolation, virtual device protection, and dynamic keys.
3. Test, test and re-test
IoT security issues don’t just come out of the blue—they happen because a hacker found an exploitable surface. Running security tests for IoT source code is key to preventing IoT-related cyber attacks.
There are myriad other things companies can do to ensure IoT security, but the above three ways are certainly the core of any good IoT security strategy. Remember—these new laws are coming out to protect you, the company, and their recommendations will help you, your IoT ecosystems, and your customers stay safe.