Security Bill Will Create New Security Standards For IoT Devices in the USA

Security Bill Will Create New Security Standards For IoT Devices in the USA

By Ludovic F. Rembert, Head of Research at Privacy Canada.

From home alarms like Google Nest to robot personal assistants like Alexa, the increasing dependence on WiFi connectivity in everyday appliances opens up many opportunities for hackers. Industries and governments have grappled with how to increase cyber security in a way that can keep up with this burgeoning trend.

The bipartisan IoT Cybersecurity Improvement Act was signed early last December, and is a step in the right direction for IoT cybersecurity. The act establishes minimum cyber security standards for all IoT devices that are controlled by the US government. The use of these devices, the way they are managed and serviced as well as a streamlined reporting system regarding vulnerabilities are all aspects that are addressed in the new cybersecurity bill.

The National Institute of Standards and Technology (NIST) played an important part in this new legislation, providing the standards for which the legislature is based. The bill only applies to devices purchased or managed by the U.S. government. However, the large purchasing power of the American government will provide a huge incentive for manufacturers to adopt similar standards for all IoT devices across the board.

Why the IoT is more at risk

This new piece of legislation came at the end of a year that saw a huge surge in cyber crime, mostly due to the coronavirus pandemic. Over 80% of organizations reported an increase in hacking incidents last year, with financial damage due to cyber crime set to hit an estimated $6 trillion in 2021.

This last year in particular, health care organizations, pharmaceutical companies and patients alike were targeted by sophisticated cybercriminals from around the world. Medical professions especially have been disproportionately affected by the vulnerabilities in the IoT sphere, since many medical devices now rely on internet connectivity for a variety of purposes.

The very recent attack on software company SolarWinds exposes the cyber security risk within government agencies, with over 18,000 users affected by the malware installed in the software. This attack demonstrates how a hacking incident can lead to a supply chain disruption that can have the capacity to affect large segments of the population.

Everyday users of the internet have been lulled into a sense of safety while browsing the internet online, with many users having no problem shopping and banking online. For most users, simply knowing that any website they go shopping on comes PCI-DSS certified to ensure a secure transaction of their credit card is enough to indicate that the site is safe for putting in their financial information.

It is true that PCI certification can ensure the more secure transferring of online data, requiring the end-to-end encryption of cardholder data and firewalls to block any unknown entities from attempting to access said data in the first place to name a couple of measures. Businesses and vendors that likewise rely on PCI-DSS certification for their IoT devices can greatly reduce the likelihood of having customer or business data compromised, but ensuring complete security just isn’t that simple.

The IoT Cybersecurity Improvement Act of 2020

The IoT Cybersecurity Improvement Act of 2020 contains many provisions that will encourage a more uniform and secure way of deploying IoT devices in the future. The act covers the development, management, configuring, and patching of IoT devices, ensuring that cybersecurity remains a focus throughout the entire life cycle of a new IoT device.

The rapidly growing popularity of IoT devices means that sometimes devices are rushed into production with the goal of selling as many as possible as soon as possible, and often at the price of overlooked security. In this scenario, vulnerabilities may not be discovered until the device is in widespread circulation. At this point, many companies may choose to ignore addressing the weak areas in their device to avoid affecting sales or alerting would-be hackers to potential opportunities.

One way companies and organizations can avoid this is to release their devices and applications using Dynamic Application Security Testing (DAST) applications, which constantly scan and test your IoT device applications for vulnerabilities while they are running. As Cloud Defense notes, this is effective because it utilizes the exact same methods that a cybercriminal would normally use to identify vulnerabilities.

Similar in approach, the IoT Cybersecurity Improvement Act mandates all contractors and subcontractors involved in government projects to report new vulnerabilities and resolve them as they arise. This level of transparency will ensure that the government is fully informed regarding risks and can hone this legislature to better fit the future digitalized world. The NIST, for example, is required to update their guidelines every five years to keep pace with the rapid developments in this industry.

IoT and the cloud

During the coronavirus lockdowns of 2020, organizations began to rely more heavily on remote work. Companies that never had work from home policies previously had to quickly make sure remote workers had all the tools they needed to complete their professional tasks at home.

The advantages of computing quickly became apparent, especially for those organizations with remote workers that did not have a home office set up previously. The ability to store and share documents and tools online and access them from any computer or phone connected to WiFi became indispensable to the remote work culture.

According to Toronto-based IT expert and software developer Gary Stevens of Hosting Canada, the word “cloud” might not generate images of ironclad security, but in reality it’s actually a fairly secure method of transferring data – provided you’re using a laptop or smartphone.

As Stevens points out: “Cloud storage is the primary means of storing our data online, so it’s imperative that your storage provider be safe from hackers and malicious software, but still easy-to-use and accessible from any device. Thankfully, this issue has been addressed by several cloud hosting companies who’ve made security their utmost priority, and thus became the preferred choice for businesses which also value data security and privacy.”

Unfortunately, cloud-based smart home appliances are quite the opposite. The IoT gadgets found in many homes are very vulnerable to hacks, some of which have been the subject of fascinating headlines in the past year, including hackers gaining the ability to turn the lights on or off, or in some instances even hear what is going on in a home via vulnerable smart home devices as well.

These are just a few of the more shocking examples of vulnerabilities seen in IoT devices in the past few years that have illustrated the need for stronger security protocols like what the Cybersecurity Improvement Act provides.

Too little, too late?

The IoT Cybersecurity Improvement Act will certainly improve cybersecurity among IoT devices, but this is just a small step towards a more secure digital future. It does not address security breaches that occurred in the past or new vulnerabilities that may be exploited in the future, as it is focused only on government devices. It is, however, an important movement in the right direction as society continues to grapple with the dangers and risks of digital life.

Related posts