The US government just reduced its IoT attack surface; private sector should step up

The president recently signed into law the Internet of Things (IoT) Cybersecurity Improvement Act, which will boost the security of connected devices used in federal agencies by requiring that they meet a baseline of security standards. While the law only applies to IoT devices sold to the federal government, it will influence international standards and ultimately impact devices sold to private industry. Given the tsunami of IoT security issues organizations face, this will be a finger in the proverbial dam until security measures are adopted across industries and geographies.

This law has been three years in the making, and in that time vulnerabilities in IoT devices have piled up, and attacks have accelerated. Research from Independent Security Evaluators released last year found that vulnerabilities discovered in IoT devices had doubled over the past six years. Palo Alto Networks researchers estimated that more than half of IoT devices are vulnerable to medium- or high-severity attacks, creating a “ticking time bomb” in environments. F-Secure found that attacks on IoT devices rose 300 percent last year.

Until now, the IoT industry has had little to no incentive to ensure that the products they ship to customers — federal or otherwise — are secure. So, devices are deployed by the thousands with simple default passwords and unsecure default security configurations that customers don’t know how to (or bother to) change. Because of their limited storage and computing power, and the “walled off” nature of their design, most IoT devices can’t house security software, like anti-virus and other software that protects laptops and other endpoints. Many devices can’t be updated with security patches, or updates are delayed due to supply chain issues. Because of this, these devices are sitting ducks for cyberattacks.

The new law addresses much of that. It requires baseline security standards for IoT devices that will be established by the National Institute of Standards and Technology (NIST) for development, managing authentication and authorizations, configuration and patching. It requires device manufacturers to follow NIST-developed vulnerability disclosure policies. This is crucial because now many device makers have no system for researchers to report security issues to them, let alone the internal program and processes required to address such disclosures.

It’s unclear what those specific NIST standards will be, but they are expected to be comprehensive based on the “NISTIR 8259 Foundational Cybersecurity Activities for IoT Device Manufacturers” that were finalized by NIST and its Information Technology Laboratory (ITL) in May of this year.

We can expect to see requirements for device makers to compile transparent hardware and software inventories, deliver standardized and accessible event logging, and enable integrated identity/key management, standardized configuration management, and centralized vulnerability remediation capabilities. This is, of course, in addition to the need for a formal, staffed responsible disclosure program.

While the new federal law only applies to U.S. government technology contracts, there are efforts by other governments to address the failings of IoT device security. California passed its IoT security law in 2018 and Oregon’s law came in 2019. Similar legislation is pending in the UK, as well. 

Though these regulations apply to subsets of manufacturers servicing specific sets of customers (e.g. U.S. Federal Government), the positive impacts will be observed by all sectors and industries. It is true that some devices are being specifically sold to government agencies and not available to the larger market, but the majority of devices on the market are available to — and used by — both private and public sectors around the globe. In fact, many of the same devices are being used in our homes as well.

The U.S. law is a much-needed first step to providing baseline security protection for the millions of IoT devices our society relies on.

These standards will take years before they become tangible; it takes time for legacy devices to either be brought up to code or replaced.

Device manufacturers shouldn’t wait for the market effects to roll through the industry. They should be proactive and make efforts now to adopt the security standards modeled in the new law. In fact, manufacturers that have yet to begin reviewing NIST’s “Foundational Cybersecurity Activities for IoT Device Manufacturers” recommendations should start with such an effort.

All devices, regardless of whether they are used by government agencies, enterprises or consumers, should be protected. Though it will take time, these regulations truly mark the turning point in regard to IoT risk management responsibilities finally being shared by device manufacturers instead of lying squarely with enterprises and their providers.

Curtis Simpson is the chief information security officer at Armis Security, an IoT security company. He previously served as vice president and global chief information security officer at Sysco, a Fortune 54 corporation.