Poor security of Internet of Things has led the US Federal Government to (again) consider legislation to force makers of IoT devices to improve security.
And the proposed bill comes on the heels of industry concern that IoT attacks against the US power grid are increasingly common and threaten public safety.
This week a bipartisan group of four US senators introduced the “Internet of Things (IoT) Cybersecurity Improvement Act of 2019.” An earlier version of an IoT security bill, introduced in 2017, went basically nowhere.
The new bill is described by Legaltech News as a narrower approach to the topic, directing the National Institute of Standards and Technology (NIST) to focus on standards that ensure the security of IOT devices in four key areas:
While the bill specifically addresses IoT devices to be purchased and deployed by the US government, industry observers quoted by Legaltech say this approach may result in stronger security across IoT devices industrywide.
Furthermore, the involvement of NIST in driving security standards may give this bill a better chance of advancing than the 2017 version, legal experts told the publication.
The proposed federal legislations also follows the US’s first state law focused on IoT security, California’s IoT security law put into place last year. That law drew criticism from some in the security industry – with some observers saying it is too prescriptive, and others saying it does not go far enough.
Critical Infrastructure Under Attack?
The legislation follows industry speculation that we may be in the midst of widespread and successful IoT attacks against the US power grid and other critical infrastructure.
Puri cites a list of five power outages affecting major US airports in 2017 and 2018 that disrupted travel, as well reports of attacks on US power plants and other facilities.
While there may not be crystal clear evidence that these outages all stem from cyberattacks, Puri gives details on the tools and techniques by which power grid demand can be manipulated by attackers who have taken control of compromised IoT devices.
“So, bringing down our essential electric grid may be made easier with all of our new interconnected devices,” Puri writes. “That’s how asymmetrical warfare works in the first place.”
The Stick Replaces the Carrot
Whether or not the power grid outages can be attributed to attacks, the point that IoT security is bad and getting worse is underscored by the fact that legislators are moved to action.
Many in the IT security industry have been waving warning flags about IoT security for many years.
But IoT device makers apparently keep bringing to market products that are not secure … and security industry experts say the manufacturers just don’t seem to care.
“My experience with almost every single IoT supplier we have ever disclosed (a vulnerability) to – and we have done two to three disclosures per week for the past four years — is that they simply ignore us, nothing happens and they carry on selling their product, profiting out of making people vulnerable.”
Arguably, the IoT industry is going through the growing pains of a maturing technology market. First releases and first deployments are focused on getting the stuff working and in customer hands — foundational functionality, real-world use cases, etc.
Security often logically lags such basic market needs. Computer viruses — and the need to stop them — did not become an issue until enough personal computers had been deployed and connected to networks.
But the federal government stepping in to regulate and mandate how an industry’s products behave is a sign of an industry that is not adequately self-policing, either through market forces or its own standards.
Put another way, it seems like a good differentiation strategy to bring to market a demonstrably more secure product. That’s the “carrot” — the benefit of a more successful product — that should entice the IoT device makers to produce more secure products.
But if customers don’t care or don’t understand the security risks, then there is no market incentive for an IoT device maker to worry about giving them more secure products.
PCI DSS for the IoT?
In some industries, security is enough of a concern that a global standard has emerged, not enforced by any one government, but by the industry itself.
A prime example is the Payment Card Industry Data Security Standard (PCI DSS), which was established by credit card companies and their technology suppliers to strengthen the security of credit cards and how payments are processed. The standard is followed globally by pretty much any technology maker who wants their products to be bought and deployed for credit card payments.
And certainly the idea of creating a PCI DSS for the IoT has long been proposed and discussed in the industry.
Plus bodies like the Secure Technology Alliance IoT Security Council have made great strides in promoting security best practices, providing input to NIST’s information gathering about IoT security, and similar advances.
The question is how much the industry will really listen and begin to adopt these security best practices.
Or will the “carrot” of more secure and successful products be replaced by “the stick” of government regulation and federal mandates?
Making & Maintaining More Secure IoT
Our customers and partners have implemented the industry’s best practices for designing secure products, monitoring vulnerabilities and managing patches throughout their IoT product lifecycles.
Our TRST Device Security Solutions enable device makers to produce products that are more secure by design and that stay secure via our Security Vulnerability and Patch Notification service.
Contact us today to learn more.
Timesys has extensive experience with embedded system development and lifecycle management. Timesys has been instrumental in working with global leader semiconductor manufacturers with smart, quick and quality solutions for highly complex systems with accelerated product innovation and multiple product variants.