https://www.iotworldtoday.com/wp-content/themes/ioti_child/assets/images/logo/mobile-logo.png
  • Home
  • News
    • Back
    • Roundups
  • Strategy
  • Special Reports
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Podcasts
    • Strategic Partners
    • Latest videos
  • More
    • Back
    • About Us
    • Contact
    • Advertise
    • Editorial Submissions
  • Events
    • Back
    • Embedded IoT World (Part of DesignCon) 2022
Iot World Today
  • NEWSLETTER
  • Home
  • News
    • Back
    • Roundups
  • Strategy
  • Special Reports
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Podcasts
    • Strategic Partners
    • Latest videos
  • More
    • Back
    • About Us
    • Contact
    • Advertise
    • Editorial Submissions
  • Events
    • Back
    • Embedded IoT World (Part of DesignCon) 2022
  • newsletter
  • IIoT
  • Cities
  • Energy
  • Homes/Buildings
  • Transportation/Logistics
  • Connected Health Care
  • Retail
  • AI
  • Metaverse
  • Development
  • Security
ioti.com

Security


Thinkstock

Balance

US Congress’ proposed IoT security requirements: A balancing act

IoT security requirements proposed in the US Senate aim to minimize the risk posed by connected devices. But the bill’s potential impact on the industry is a matter of debate. 
  • Written by Brian Buntz
  • 14th August 2017

The Internet of Things poses a hydra-headed security threat. On the one hand, there’s a plethora of applications, devices, communication protocols, software and hardware. And on the other, there’s the variability in security practices across IoT vendors, some of which don’t require end users to follow basic security measures. 

Recent legislation proposed by Senators Mark Warner (R-Va.) and Cory Gardner (D-Colo.), known as the Internet of Things Cybersecurity Improvement Act of 2017, aims to address these challenges by establishing baseline IoT security requirements for IoT technology sold to the federal government. The proposal mandates that IoT vendors serving the government offer products that are patchable and use standard protocols while stipulating that they don’t use hardcoded passwords or ship with known security vulnerabilities. Furthermore, it asks vendors to offer long-term patching and security support for the devices. Finally, the legislation would force government agencies to keep an inventory of IoT devices.  

Not prescriptive enough, too rigid or just right?

While the proposed law has faced a mixed reaction in the security community, most experts view the legislation as a step in the right direction. For instance, Bruce Schneier, fellow at Harvard Kennedy School of Government, explained in a statement that he applauds “Senator Warner and his co-sponsors for nudging the market in the right direction by establishing thorough, yet flexible, security requirements for connected devices purchased by the government.” Similarly, Bob Noel, director of marketing and strategic partnerships at Plixer International, said: “I think there are some fundamental elements of this legislation that are fantastic. It is raising awareness, and it is creating some degree of standards for vendors who today aren’t accountable even for basic security missteps.”

Other experts praised the intent of the proposed IoT security requirements while noting that the problem of IoT security will require careful planning to address. “Something will have to be done about this pending [IoT] security crisis,” said Kenneth Geers, Ph.D., a senior research scientist at Comodo Group and a NATO Cyber Centre ambassador, acknowledging that regulation is an important part of the IoT security puzzle. In the end, though, regulation may only be part of the solution, he said. “The government must try a variety of measures, including regulation, business incentives, fines and more money for education.” 

[IoT Security Summit, co-located with Blockchain360 and Cloud Security Summit, explores how industry-wide security, privacy and trust can be established to unlock the full potential of IoT. Get your ticket now.]

While praising the intent behind the proposal, Craig Spiezle, chairman emeritus and founder of the Online Trust Alliance (OTA), wishes the legislation had a broader vision and clearer requirements. “Good legislation could apply not just to the federal government, but to state and local levels of government as well, and that would hopefully raise the bar for everyone,” explained Spiezle, who is also a strategic board adviser to the Internet Society. The proposed IoT security requirements are lightweight, Spiezle said. “If I had the pen, I would have more requirements on, for instance, how the devices collect data.” Spiezle would also like to see a mandate for responsible vulnerability disclosures that guides how end users and third parties report IoT security problems. The proposal also should have a more prescriptive approach to encouraging good password hygiene, he said. While the legislation correctly points out the risk of hard-coded passwords, it would be better if it forced users to create a unique password on the first use, he said. In addition, multifactor authentication and algorithms to detect abnormal sign-ins could also be helpful security strategies for some IoT devices.

A broad framework for confronting vulnerabilities

The Internet of Things Cybersecurity Improvement Act of 2017 broadly focuses on “federal procurement of connected devices,” demanding a certain amount of interpretation from legal and security experts. Given the impossibility of creating an absolutely secure IoT device, the guidance that connected devices not contain “known vulnerabilities” would leave room for interpretation. “I think they meant ‘no known critical vulnerability,’” Spiezle said. “When automobile companies ship a car with a known safety defect, they are held accountable.” The same principle should apply to IoT devices, he reasoned. “Every software product is going to ship with some kind of a bug,” he acknowledged. “But once you identify and classify that bug, it becomes a vulnerability that a manufacturer can address. What this law is trying to do is to stop companies from rushing IoT products to the market without fully testing them.”

Noel agreed that the broad-based policy against security vulnerabilities is better than a narrow one, in that it would encourage the industry to come to a consensus and make improvements over time. “I don’t think tightening up the language is the right way to go,” Noel said. “Technology moves faster than regulation, so it is difficult to be precise here.”

The thorny subject of IoT security economics

The selling point of IoT for government and enterprise has been its potential to drive efficiency and performance of a selected application. Increased regulation could chip away at these benefits unless it considers the intricacies of how IoT influences the economy, said Peter Tran, RSA’s Advanced Cyber Defense general manager and senior director. “In broad strokes, the proposed legislation is a step in the right direction, but it could stand to be a heavy counterweight to IoT’s core promise of driving quality of living and economic engagement.”

In any event, it is challenging for a bill written at this stage of the IoT adoption cycle to provide a fundamental improvement in IoT security at large. Legislation needs to be flexible to accommodate the growth trajectory of the technology while also acknowledging the numerous devices already in use, Tran said. “We are not talking about a bunch of novelty toys that need to be reined in for safety reasons,” he explained. “There are already billions of IoT devices that don’t have a foundational security standard. Forcing a ‘clean bill of IoT security’ could force IoT into a tailspin. You do want to drive safety and security but, at the same time, continue to cultivate the innovation, diversity and growth to the market that can have high degrees of interdependencies across a multitude of cross-functional industries.”

Nitin Kumar, senior managing director at FTI Consulting, agrees that legislation like this could lead to added costs for IoT technology, but noted that he doesn’t think it would slow adoption. “Fundamentally, IoT business models are based on the assumption that hardware is commoditized,” he said. The selling point for IoT hardware is often that it will be “be subsidized or funded by software, services, analytics, advertising and so forth,” he reasoned.

While it is possible that the legislation’s focus on government procurement of IoT devices could lead some vendors to create separate products for government and non-government buyers, most vendors serving both will likely improve the security of their entire product line.

“Yes, some vendors will establish separate product lines and divisions for governments. This happens today in many companies,” Kumar says. “People working in those divisions need to adhere to a different standard of physical and digital security.” 

Noel is more optimistic that the legislation will improve security across the IoT landscape. “I don’t think it would make sense for a manufacturer of an IoT device to bifurcate their product unless it dramatically changes their cost model,” Noel said. “In most cases, I see this as forcing pretty much everybody to up their game.” The one possible exception is that vendors that sell to the enterprise but not the government could try to compete against vendors that cater to both groups. Such vendors could hypothetically prioritize time to market and the price point of their products over security.

But deprioritizing security could be a losing strategy in the long run, as it could invite attacks that do unprecedented damage, which might ultimately stall IoT adoption. “We are not just talking about normal internet security here,” Spiezle said. “IoT devices can pose physical security risks.”

Tags: Article Security Technologies

Related


  • IoT Security Firm to Acquire Medical Security Startup
    Claroty is set to acquire Medigate to grow its foothold in securing the Internet of Medical Things
  • Ransomware Attack Could Impact Paychecks
    The Kronos ransomware attack affected the company’s private cloud service over the weekend, knocking it offline just before the holidays
  • Image shows an abstract digital big data concept.
    BotenaGo Malware Targets Millions of IoT Devices
    AT&T Alien Labs identified the malware that has left millions of IoT devices exposed.
  • IoT Startup Raises $10M
    Platform aims to bolster network security with automated device configurations and visibility.

Leave a comment Cancel reply

-or-

Log in with your IoT World Today account

Alternatively, post a comment by completing the form below:

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Content

  • IoT Device Security at the Edge Poses Unique Challenges
  • Zero-Trust Security for IoT: Establishing Rigorous Device Defenses
  • AI Ups the Ante for IoT Cybersecurity
  • Protecting Your Network Against Ripple20 Vulnerabilities

Roundups

View all

IoT Product Roundup: PTC, Nokia, Arm and More

19th May 2022

IoT Deals, Partnerships Roundup: Intel, Nauto, Helium and more

14th May 2022

IoT Product Roundup: Amazon, Synaptics, Urban Control and More

27th April 2022

White Papers

View all

The Role of Manufacturing Technology in Continuous Improvement Ebook

6th April 2022

IIoT Platform Trends for Manufacturing in 2022

6th April 2022

Latest Videos

View all
Dylan Kennedy of EMQ

Embedded IoT World 2022: Dylan Kennedy of EMQ

Dylan Kennedy, EMQ’s VP of global operations, sat down with Chuck Martin at Embedded IoT World 2022.

Embedded IoT World 2022: Omdia’s Sang Oh Talks Vehicle Chip Shortage

Omdia’s automotive semiconductor analyst sits down with Chuck Martin at this year’s event

E-books

View all

How Remote Access Helps Enterprises Improve IT Service and Employee Satisfaction

12th January 2022

An Integrated Approach to IoT Security

6th November 2020

Webinars

View all

Rethinking the Database in the IoT Era

18th May 2022

Jumpstarting Industrial IoT solutions with an edge data management platform

12th May 2022

AI led Digital Transformation of Manufacturing: Time is NOW

9th December 2021

Special Reports

View all

Omdia’s Smart Home Market Dynamics Report

7th January 2022

Cybersecurity Protection Increasingly Depends on Machine Learning

28th October 2020

IoT Security Best Practices for Industry and Enterprise

20th October 2020

Twitter

IoTWorldToday, IoTWorldSeries

Clearview AI has been fined $9.4 million for collecting images of people from social media platforms to add to its… twitter.com/i/web/status/1…

24th May 2022
IoTWorldToday, IoTWorldSeries

Swiss-startup Airyacht is developing an eponymously named vehicle that it says will take the luxury-yacht experienc… twitter.com/i/web/status/1…

23rd May 2022
IoTWorldToday, IoTWorldSeries

@Tesla’s #Autopilot being investigated once again following fatal crash in Newport Beach, California. iotworldtoday.com/2022/05/23/tes…

23rd May 2022
IoTWorldToday, IoTWorldSeries

A new Kansas law will enable #driverless deliveries from @Walmart and its partner @Gatik_AI. #AVs… twitter.com/i/web/status/1…

23rd May 2022
IoTWorldToday, IoTWorldSeries

Access a world of opportunity in 2022 with @IoTWorldToday ➡️ Now is time to unlock ROI, by accessing a global com… twitter.com/i/web/status/1…

23rd May 2022
IoTWorldToday, IoTWorldSeries

3D Home Printer to Build 72 Residences for National Homebuilder dlvr.it/SQhWSF https://t.co/XJOs70DqzH

19th May 2022
IoTWorldToday, IoTWorldSeries

Microsoft Ramping up Cybersecurity Service Offerings dlvr.it/SQhPR0 https://t.co/nYzaDRnyVY

19th May 2022
IoTWorldToday, IoTWorldSeries

IoT Product Roundup: PTC, Nokia, Arm and More dlvr.it/SQhNNF https://t.co/ZApdw3RHdu

19th May 2022

Newsletter

Sign up for IoT World Today newsletters: vertical industry coverage on Tuesdays and horizontal tech coverage on Thursdays.

Special Reports

Our Special Reports take an in-depth look at key topics within the IoT space. Download our latest reports.

Business Resources

Find the latest white papers and other resources from selected vendors.

Media Kit and Advertising

Want to reach our audience? Access our media kit.

DISCOVER MORE FROM INFORMA TECH

  • IoT World Series
  • Channel Futures
  • RISC-V
  • Dark Reading
  • ITPro Today
  • Web Hosting Talk

WORKING WITH US

  • Contact
  • About Us
  • Advertise
  • Login/Register

FOLLOW IoT World Today ON SOCIAL

  • Privacy
  • CCPA: “Do Not Sell My Data”
  • Cookies Policy
  • Terms
Copyright © 2022 Informa PLC. Informa PLC is registered in England and Wales with company number 8860726 whose registered and Head office is 5 Howick Place, London, SW1P 1WG.
This website uses cookies, including third party ones, to allow for analysis of how people use our website in order to improve your experience and our services. By continuing to use our website, you agree to the use of such cookies. Click here for more information on our Cookie Policy and Privacy Policy.
X