Reports estimate more than 35 billion IoT devices will be deployed by the end of 2021. While these devices often provide great benefits and conveniences, they can also represent little-understood security exposures and risk. As the flood of these devices continue to connect to homes and businesses around the world, little is being done to ensure that consistent standards and controls are being applied to this new technology. Now the U.S. government is taking steps to help ensure that at least the devices it purchases and deploys will have minimum baseline controls.
On December 4, 2020, the U.S. president signed into law the IoT Cybersecurity Improvement Act of 2020 (H.R 1668), a bipartisan bill that will establish minimum security requirement for IoT devices used by the federal government. The passage of the legislation is encouraging news to those who have wanted to see broader steps taken to facilitate IoT device safeguards, which in many cases have been sorely lacking.
As the initial step in the process, the National Institute of Standards and Technologies issued a draft of proposed standards on December 15. Importantly, while the act regulates IoT devices that the federal government uses, we believe the IoT cybersecurity standards will become the baseline for manufacturers, sellers and buyers of IoT devices in the private sector. In fact, in a press release announcing the passage of the act by the Senate, two of the bill’s primary sponsors stated that their goal was to leverage “the purchasing power of the federal government . . . [to] ultimately help move the wider market for IoT devices towards greater cybersecurity.”
Here are some additional details about what comes next and what the new law means for the IoT device sector:
The act charges NIST to issue “standards and guidelines” by March 4, 2021 for the “appropriate use and management” of IoT devices owned or controlled by the federal government. (The standards will essentially update nonbinding IoT cybersecurity recommendations that NIST issued to manufacturers in May 2020.) The guidelines are to include “minimum information security requirements for managing cybersecurity risks” associated with the devices. NIST’s initial draft covers three areas: IoT Non-Technical Supporting Core Capability Baseline (Draft NISTIR 8259B), Creating a Profile Using the IoT Core Baseline and Non-Technical Baseline (Draft NISTIR 8259C), and Profile Using the IoT Core Baseline and Non-Technical Baseline for the Federal Government (Draft NISTIR 8259D).
The act requires the director of NIST to ensure that possible security vulnerabilities for IoT devices are understood. It also instructs the director to consider the management of IoT device security vulnerability as well as the secure development, identity management, patching and configuration management of the devices. The Office of Management and Budget is tasked with reviewing agency information security policies and principles no later than 180 days after NIST issues its standards, and federal government acquisition standards will be required to adhere to the guidelines.
Additionally, within 180 days after the act’s passage, the director of NIST must develop a vulnerability disclosure process with specific guidelines for:
- the reporting, coordinating, publishing and receiving of information about security vulnerabilities,
- the resolution of such security vulnerabilities,
- receiving information about a potential security vulnerability, and
- disseminating information about the resolution of a security vulnerability.
The act also provides a waiver process to exempt IoT devices from the standards. Waivers could be awarded if a government agency’s CIO determines that it is in the interest of national security, that it is necessary to procure or use a device for research, or that the device is secured by effective alternative methods. NIST standards may provide more detail on the exception process.
What this Means
The new standards will require IoT device manufacturers that do business with the federal government to increase the level of security in their products. But as the government adopts the new standards, corporate and individual buyers in the private sector will very likely assess whether an IoT device qualifies for federal use when making purchasing decisions. In addition to establishing a security vulnerability disclosure process, device makers should emphasize certain procedures and policies. These include:
- Ensuring that devices possess unique credential/authentication mechanisms (usernames, passwords and keys, to name a few)
- Adhering to secure coding practices in the development of device firmware and software, including performing secure code reviews and dynamic application testing
- Confirming that a device’s communication methods are secure and employ an appropriate level of encryption for the transfer of data
- Verifying the security of software or firmware update processes
- Ensuring that sensitive data stored on the device is properly safeguarded.
The new law indicates that IoT device security is moving in the right direction, and NIST’s initial draft is only the first step in what will be a months-long effort. The draft leaves room for improvement, however, and Protiviti believes that the private sector’s participation in the process is critical to establishing a minimum security baseline that ultimately will benefit the entire embedded systems technology market. Protiviti is keeping close watch on the proceedings and milestones and will continue to provide guidance as more information becomes available.