IoT Security: New US Regulation to the Rescue!
5-March | Written by Jean Loup P. G. Le Roux
The many security problems linked to the Internet of Things (IoT) is not a new subject - cybersecurity experts like me have been warning everyone about these vulnerabilities for a long time now. It seems, though, that while manufacturers have refused to heed these warnings (for the most part), legislation is now finally catching up.
The US Congress recently passed the IoT Cybersecurity Improvement Act of 2020, which provides minimum security standards for Internet of Things devices owned or controlled by the federal government. This sets a great precedent for IoT safety and more expert-driven digital regulation, as IoT hardware and other devices become increasingly intertwined with how government agencies (and the world at large) operates.
Shedding a light on critical security vulnerabilities
In an almost Shakespearean coincidence, critical infrastructure was compromised in a major hack in Florida just days ago. Sodium hydroxide (lye) was raised to dangerous levels in the water supply in the town of Oldsmar by a hacker who managed to gain access to the TeamViewer software the plant uses. From there, they somehow managed to make the jump from IT (Information Technology) to OT (Operational Technology) and it’s still unclear exactly how this happened. Though it’s not known yet whether IoT technology was directly involved in this particular breach, it still points to the incredible danger that is being introduced by the integration of more complex and connected technology into our critical infrastructure.
This event also touches on an important aspect of the danger presented by IoT technology - that the lines between all of these technologies continue to get blurrier because they work in tandem to manage critical and often complex business processes. IT traditionally handles complex data-based systems while OT is generally seen as the technology that manages hardware and machinery. IoT devices are essentially the marriage of these two areas. Not to mention the fact that IoT devices usually communicate with each other and various other systems in the network.
Many people may not be aware of this, but the federal government integrates a lot of IoT technology into its operations - and adoption is still expected to ramp up even higher. Currently, IoT technologies are being used by various federal agencies to:
Help with border control,
Control access to facilities,
Monitor and/or control equipment and systems used by agencies,
Monitor critical infrastructure such as water quality, wastewater treatment, and
Track physical assets such as vehicles.
If you’re interested to dive deeper into how the federal government is integrating IoT into its operations, this study by the US Government Accountability Office is a good place to start.
Prioritizing security via regulation is a good start
The IoT Cybersecurity Improvement Act recognizes that too many IoT devices are shipped with critical vulnerabilities as well as insufficient support for updates once they’re deployed. It also mandates that manufacturers and agencies need to follow security standards and guidelines set out by the National Institute of Standards and Technology (NIST), the Department of Homeland Security (DHS), and the Office of Management and Budget (OMB).
With the implementation of this new law, the US government is hoping to use its influence as a major buyer to change the security landscape of IoT across the board. This will likely have the desired effect because up until now, manufacturers didn’t have much of an economic incentive to implement better security protections for IoT devices. A combination of several factors is attributed to why manufacturers dropped the ball with regards to IoT security, but a lack of incentive is generally considered to be a massive influence.
Through this Act, manufacturers who hope to supply products to high-priority clients such as government facilities will have to comply with these standards first. This is a step in the right direction for IoT device security in general, provided these manufacturers decide that it’s simply more economically efficient to build these protections into all of their devices and not just those they supply to the government. The Act also sets up crucial security standards, which provides a good basis on which other nations or industries could build their own sets of rules and regulations.
Notably, the IoT Act also introduces a new standard definition for operational technology (OT): “hardware and software that detects or causes a change through the direct monitoring or control of physical devices, processes, and events in the enterprise.” Sounds a lot like what IoT devices do, doesn’t it?
What does this mean for the IoT sector?
The Chief Information Officer for the US federal government is in charge of determining the adoption and renewal of new contracts from IoT vendors and manufacturers. If they determine that these devices aren’t in line with the standards set out by NIST, then these contracts will be denied, resulting in a major loss of revenue streams for a cascade of businesses.
Following the Act, NIST was given until March 5, 2021 to publish and update security standards and guidelines for IoT use in government systems. The entity has since released the first drafts of four publications that offer recommendations for federal agencies and manufacturers.
Three of these publications (NIST Interagency Reports 8259B, 8259C and 8259D10), work together to provide manufacturers with a guide on how to meet federal agencies’ cybersecurity needs.
This includes guidelines on
Secure IoT Development;
Identity Management;
IoT Device Security Patching.
The last document (NIST Special Publication 800-213) provides recommendations to federal agencies on how to integrate IoT devices into their systems in a safe and secure way. It also provides recommendations on what security capabilities agency employees need to look for in an IoT device before integrating it into their infrastructure, as well as how to effectively manage IoT configuration and security updates.
Use with caution: regulatory intervention
Despite the many positive ripple effects we expect from this Act, caution should still be applied when it comes to the dissemination of information. Because NIST was also given until June 3, 2021 to publish guidelines for both agencies and contractors on how to report information regarding IoT security vulnerabilities, and the resolution of those vulnerabilities in a bid to increase transparency in this sector.
Yet, while having more transparency is seen as a good thing in cybersecurity circles, I am concerned that the downside to this guideline will be a greater spotlight on the vulnerabilities of IoT devices currently being used by the federal government.
Coordinated Vulnerability Disclosure (CVD) isn’t an entirely new concept within the IoT framework and there has been a lot of push from the cybersecurity community to get this more widely accepted. Essentially, CVD entails:
Having a vulnerability disclosure policy,
Implementing a proper procedure for identifying and managing vulnerabilities, and
Providing a way for the public to report vulnerabilities.
Companies like Vulnerable Things have made great strides in this area.
However, the emphasis is on how well a vulnerability report is handled by manufacturers, distributors, and users alike. The vulnerability resolution process is also a crucial step to ensuring that reports don’t create more problems than they’re supposed to solve. This is especially dangerous given the traditionally slow nature of the federal government when it comes to adopting changes on a wider scale. If newly discovered (and disclosed) vulnerabilities aren’t resolved as quickly as possible, it could work against the aims of this act by amplifying exploitable security risks to cybercriminals instead.
At this point, though, I can merely speculate on the potential risks of this order, as we’ll have to wait and see how NIST frames these guidelines to know what the reporting structure will look like.