https://www.iotworldtoday.com/wp-content/themes/ioti_child/assets/images/logo/footer-logo.png
  • Home
  • News
    • Back
    • IoT World 2020 News
  • Strategy
  • Special Reports
  • Galleries
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • IoT World 2020 News
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Video / Podcasts
  • More
    • Back
    • About Us
    • Contact
    • Advertise
    • Strategic Partners
  • IOT World Events
    • Back
    • Internet of Things World: San Jose
    • IoT World 2020 News
Iot World Today
  • NEWSLETTER
  • Home
  • News
    • Back
    • IoT World 2020 News
  • Strategy
  • Special Reports
  • Galleries
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • IoT World 2020 News
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Video / Podcasts
  • More
    • Back
    • About Us
    • Contact
    • Advertise
    • Strategic Partners
  • IOT World Events
    • Back
    • Internet of Things World: San Jose
    • IoT World 2020 News
  • newsletter
  • IIoT
  • Cities
  • Energy
  • Homes/Buildings
  • Transportation/Logistics
  • Connected Health Care
  • Retail
  • AI
  • Architecture
  • Engineering/Development
  • Security
ioti.com

Security


New IoT Cybersecurity Improvement Act: Creating a Floor For IoT Security?

The new law provides security guidelines for new devices and may curb some IoT vulnerabilities. But it’s no panacea.
  • Written by Evan Schuman
  • 2nd February 2021
  • The new IoT Cybersecurity Improvement Act signals that the government will take IoT security more seriously in future.
  • While the act specifies requirements for new devices, there are billions of existing devices already in the field.
  • There are still a range of prevalent shadow-IT practices and other behaviors that the act does not address.

In December 2020, when President Donald Trump signed the new IoT cybersecurity bill into law, it signaled that the government wants to take IoT security seriously.

The IoT Cybersecurity Improvement Act doesn’t specify requirements, other than instructing National Institute of Standards and Technology to do so — and to do so by March. The act applies to any IoT device purchased with government money. In addition to establishing new mandatory minimum security standards for these devices, the bill requires that these standards and policies be updated at least once every five years.

Technically, the law covers only government agency purchases. But in reality, private-sector companies will likely have to adhere to the new law as well.

“This is the start of the path,’” said Evan Wolff, the co-chair of the privacy and cybersecurity group at the Crowell & Moring law firm. “They are saying, ‘Let’s have NIST be an impartial party that understands what good security is.” He suggested that enterprise CISOs should consider trying to participate in the NIST process.

Wolff said that he wants NIST to recommend a “clear standard [for] patching and maintenance. Not a time period, but a regular patching regime.”

With IoT Cybersecurity Improvement Act, Only Some Improvement

Various experts stressed that the law will almost certainly affect only new IoT purchases, leaving a security vacuum for existing devices, along with devices purchased before the government guidelines kick in or, more precisely, once vendors start delivering devices that comply with the new standard.

Arun DeSouza, the CISO for $4 billion auto-parts manufacturer Nexteer Automotive, said that he thinks most enterprises have even weaker IoT security procedures than the government. If true, that means that a government standard could significantly improve private-sector IoT security.

“IoT today is a Wild West and nobody cares, except maybe California. I don’t think that most companies have an IoT security standard. That means that they will likely piggyback on something very solid,” DeSouza said. “Nobody has thought it through. Whatever NIST is going to [recommend] will be a big improvement.”

There are a range of other challenges to keeping IoT devices secure. The number of IoT devices that IT and security departments do not know about (and this goes far beyond shadow IT) has grown during the pandemic, with consumer-grade IoT devices flooding many remote sites. Few of these sites create different LANs for corporate equipment and communications and home devices, which makes a remote site an easy back door for IoT attackers. In the area of patching, many IoT units have their own communications capabilities (small antennae) that allow them to download patches and potential malware without IT or security departments’ knowledge.

Peter McLaughlin, partner at Culhane Meadows law firm, said that he hopes the new law will at least force everyone to address the basics. “For enterprise IT and CISOs, the federal requirement will force some attention on establishing non-generic credentials for each device on the network.

What will remain a challenge for those installing these systems is to uphold strong password and credential practices for any number of devices on a network, McLaughlin said. “For those organizations that use a framework for their systems other than NIST, such as ISO 27001 or HITRUST for example, be sure to document the fact of the work and map the relevant NIST controls to those that you have applied.”

Will the IoT Cybersecurity Improvement Act Discourage Bad Behavior?

Charles Edge, the chief technology officer for venture capital firm Bootstrappers, sees the new law backing up CISOs who have wanted to improve IoT security for years.

“It will likely dissuade the use of devices coming in through shadow IT channels such as non-IT departments ordering devices such as voice assistants without taking into account whether they are approved for use on networks,” Edge said. “Fingerprinting for those vendors is simple in a standard LAN or wireless network and so I could see that becoming a requirement. The rollout of public 5G networks could cause some headaches there, so technology similar to rogue access point detection may be required.”

Edge spoke of a large enterprise whose IOT he was involved in a few years ago.

“My contact … was late on the second day, and I sat in the lobby for an hour waiting for him to get started. So he gave me a badge that provided access to the unmonitored server room I was in. He casually mentioned that [the badge belonged to a former employee], but he gave it out because he couldn’t just sit in the server room hovering over contractors and badging them into the room every time they needed to [go in and out],” Edge said. “The point is, people do what they do. We can try to capture the bad behaviors and protect against them and limit the exposure by controlling access. But the weakest link is always with the humans.”

 

Tags: Hardware-based security Architecture Security

Related


  • Training and Development on the Mechanism of Metal Gears. in the design of information related to business
    Developing IoT Applications with Rust: Using a Rust Development Environment
    Developing for IoT with Rust has matured to the point that its ecosystem now includes an array of key support tools. One tool is Cargo.
  • IoT Trends 2021: IoT accelerates, digitization, automation and edge architecture
    From using data analytics at the edge to digital, remote health care to robotics and increased automation, IoT trends in 2021 exploit data at the edge.
  • 3d rendering of human brain on technology background
    AI Ups the Ante for IoT Cybersecurity
    Security providers in IT and OT have implemented AI, ML and other advanced technologies to make systems smarter than malicious attackers.
  • IT/OT convergence
    The IoT Security Risks and Benefits of IT Convergence
    Standardizing and integrating IT systems –IT convergence—has been gathering steam. It brings risks and opportunities, though.

Leave a comment Cancel reply

-or-

Log in with your IoT World Today account

Alternatively, post a comment by completing the form below:

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Content

  • Protecting Your Network Against Ripple20 Vulnerabilities
  • IoT Security Trends, 2021: COVID-19 Casts Long Shadow
  • Jetting to the Stars Using Containers for Development
  • AT CES 2021, Verizon Touts 5G Connectivity as Enabler in Pandemic Times

News

View all

Private LTE Market Projected to Grow to $13 Billion

12th January 2021

IoT World Announces 2021 IoT World Advisory Board

9th December 2020

White Papers

View all

The eSIM Cookbook – Towards the Next Generation of Connected Devices

22nd February 2021

eSIM Delivers Greater Freedom for OEMs – by Beecham Research and Truphone

22nd February 2021

Special Reports

View all

Cybersecurity Protection Increasingly Depends on Machine Learning

28th October 2020

Webinars

View all

Weber’s Journey: How a Top Grill Maker Serves Up Connected Cooking

25th February 2021

From Insights to Action: Best Practices for Implementing Connected Device Security

15th December 2020

Galleries

View all

Top IoT Trends to Watch in 2020

26th January 2020

Five of the Most Promising Digital Health Technologies

14th January 2020

Industry Perspectives

View all

IoT Spending Holds Firm — Tempered by Dose of ‘IoT Pragmatism’

1st December 2020

The Great IoT Connectivity Lockdown

11th May 2020

Events

View all

IoT at the Edge

17th March 2021

Embedded IoT World 2021

28th April 2021 - 29th April 2021

IoT World 2021

2nd November 2021 - 4th November 2021

Twitter

IoTWorldToday, IoTWorldSeries

IoT Remote Monitoring Helps Enterprises Traverse COVID-19 and Beyond dlvr.it/RtZ3K5 https://t.co/owJXYf1gkO

26th February 2021
IoTWorldToday, IoTWorldSeries

Securing the Industrial Internet of Things dlvr.it/RtYfYk https://t.co/khUn79dvQD

26th February 2021
IoTWorldToday, IoTWorldSeries

📢 Announcing #EIOTWORLD sponsor, @BluetoothSIG — the global standard for simple, secure wireless connections. ➕ Le… twitter.com/i/web/status/1…

26th February 2021
IoTWorldToday, IoTWorldSeries

How IoT Devices Can Enhance the Connected Customer Experience dlvr.it/RtPcvS

24th February 2021
IoTWorldToday, IoTWorldSeries

🤝 Meet #EIOTWORLD speaker Ingo Feldner, Project Lead for Virtual #Hardware Platforms at @RobertBoschGmbH 📅 Join hi… twitter.com/i/web/status/1…

24th February 2021
IoTWorldToday, IoTWorldSeries

Developing IoT Applications with Rust: Using a Rust Development Environment dlvr.it/RtNqrk https://t.co/wOmnoz2UVT

24th February 2021
IoTWorldToday, IoTWorldSeries

Chip-Enabled Edge AI Drives Next-Gen IoT dlvr.it/RtKcMQ https://t.co/dLjBzE6Qei

23rd February 2021
IoTWorldToday, IoTWorldSeries

The eSIM Cookbook – Towards the Next Generation of Connected Devices dlvr.it/RtG5bB https://t.co/5kXa8Pnv4T

22nd February 2021

Newsletter

Sign up for IoT World Today newsletters: vertical industry coverage on Tuesdays and horizontal tech coverage on Thursdays.

Special Reports

Our Special Reports take an in-depth look at key topics within the IoT space. Download our latest reports.

Business Resources

Find the latest white papers and other resources from selected vendors.

Media Kit and Advertising

Want to reach our audience? Access our media kit.

DISCOVER MORE FROM INFORMA TECH

  • IoT World Series
  • Channel Futures
  • RISC-V
  • Dark Reading
  • ITPro Today
  • Web Hosting Talk

WORKING WITH US

  • Contact
  • About Us
  • Advertise
  • Login/Register

FOLLOW IoT World Today ON SOCIAL

  • Privacy
  • CCPA: “Do Not Sell My Data”
  • Cookies Policy
  • Terms
Copyright © 2021 Informa PLC. Informa PLC is registered in England and Wales with company number 8860726 whose registered and Head office is 5 Howick Place, London, SW1P 1WG.
This website uses cookies, including third party ones, to allow for analysis of how people use our website in order to improve your experience and our services. By continuing to use our website, you agree to the use of such cookies. Click here for more information on our Cookie Policy and Privacy Policy.
X