New IoT security laws and proposals are a good start, but we need to do more

Proven vulnerability

Some of the most infamous attacks include a 2013 hack on a baby monitor, a Jeep Cherokee in 2015 (although the latter were ethical hackers), the Mirai botnet webcam attack in 2016, the first serious ransomware attacks on medical devices last year and, of course, the Equifax breach.

The financial toll of these incidents has been significant:

• In 2016, the Ponemon Institute estimated the average cost of a data breach was more than $7 million.
• The massive Equifax breach may ultimately cost the company $439 million.
• This year, Facebook experienced two spectacular security incidents. The stunning revelations sent Facebook’s stock price tumbling and CEO Mark Zuckerberg himself lost nearly $11 billion (and he had to testify in front of a Congressional panel — a must watch if you haven’t already).

These are just the consumer-facing cyberattacks, because hackers have been busy executing campaigns with potentially higher stakes. Some of the most infamous of which include the attacks on the Ukrainian energy grid, which of course could have devastating implications if someone actually is cunning enough to execute a full-on attack. Large populations of people could wind up literally powerless for days, weeks or even longer.

Earlier this year, the U.S. government accused Russia of attacks on our power plants, water and electric systems during the time leading up to our recent presidential elections. Evidence has traced activity as far back as 2011, but the strikes intensified in late 2015. A Department of Homeland Security report suggested that Russian hackers accessed critical control systems — however, no actual sabotage or system shutdowns of plant operations were recorded. Evidence suggests, however, that hackers still have the ability to shut down operations if they so choose. Whether the decision of the hackers to allow continuous operation without interruption was intentional or not is unknown. Either way, it was a clear message about the potential dangers by hackers on critical infrastructure operations.

The demonstrated vulnerability of IoT has many rattled, especially lawmakers who are increasingly pushing bills to prevent hacks, or at least to limit them.

Governance

California was the first state to pass a cybersecurity law (SB 327) that covers smart devices. According to the law, as of January 1, 2020, any manufacturer of a device that connects “directly or indirectly” to the internet must equip it with “reasonable” security features, designed to prevent unauthorized access, modification or information disclosure. It also mandates that connected devices come with unique passwords that users can change, which isn’t the case for many IoT products today.

However, the new law doesn’t address the ensuing communication that takes place between the device and the gateway and/or the cloud. That communication must be kept private to ensure data integrity and information security, which is typically implemented via the use of encrypted communications.

Still, the law is a positive defensive step aimed at providing fundamental security. If other states follow California’s lead, we could see more legislation that would obligate manufacturers to adopt device identity at the point of manufacture, offering a basic level of security that is currently absent in our current IoT environments.

In addition to the California law, the Internet of Things Cybersecurity Improvement Act, introduced by Sens. Mark R. Warner (D-Va.) and Cory Gardner (R-Colo.), would use the federal government’s buying power to boost IoT security. Under the bill, any companies that do business with the federal government would have to ensure that their connected devices are patchable, come with passwords that can be changed and are otherwise free of known security vulnerabilities. Another bill, the Securing IoT Act, would require the Federal Communications Commission to create cybersecurity standards for certifying wireless equipment.

Do more

It is encouraging that U.S. legislators are considering bills to improve security of IoT; it’s a good start. Still, we have to do more. I have found that, on the whole, most government agencies and the individuals who operate them are woefully ill-informed when it comes to technology. This was painfully evident during the April 2018 Senate hearings on a major Facebook security breach, where the personal account information of over 50 million Facebook users was exposed. Law makers, responsible for drafting legislation to protect personal data privacy, had little to no understanding of the social media platform’s basic functioning, let alone the technology behind it.

IoT professionals, myself included, recognize that IoT technology can be equally, if not more, confusing than social media. Efforts are underway to help legislators and the public gain a better understanding of IoT issues and technology in order to better manage their own data privacy and the data/device privacy and integrity of those they serve. Groups like the Industrial Internet Consortium, where GlobalSign is an active member, are working on communication aimed at clarifying the technology and issues, as well as offer potential solutions to address IoT security. One example is the Industrial Internet Security Framework (IISF). In addition, I strongly suggest interested parties to add comments to a great initiative from NIST, “Considerations for Managing IoT Cybersecurity and Privacy Risks.”

It is our hope that by publishing information that is easily digestible, and by working with legislators to more fully understand the ramifications of their legislative actions, we can all contribute to establishing and improving governance surrounding IoT security. Close collaboration will help produce laws that are informed and effective without being over-reaching, and which can effectively secure IoT from a potentially crippling attack.

All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.