By Evan Schuman

In December 2020, when President Donald Trump signed the new IoT cybersecurity bill into law, it signaled that the government wants to take IoT security seriously.

The IoT Cybersecurity Improvement Act doesn’t specify requirements, other than instructing National Institute of Standards and Technology to do so — and to do so by March. The act applies to any IoT device purchased with government money. In addition to establishing new mandatory minimum security standards for these devices, the bill requires that these standards and policies be updated at least once every five years.

Technically, the law covers only government agency purchases. But in reality, private-sector companies will likely have to adhere to the new law as well.

“This is the start of the path,’” said Evan Wolff, the co-chair of the privacy and cybersecurity group at the Crowell & Moring law firm. “They are saying, ‘Let’s have NIST be an impartial party that understands what good security is.” He suggested that enterprise CISOs should consider trying to participate in the NIST process.

Wolff said that he wants NIST to recommend a “clear standard [for] patching and maintenance. Not a time period, but a regular patching regime.”

With IoT Cybersecurity Improvement Act, Only Some Improvement

Various experts stressed that the law will almost certainly affect only new IoT purchases, leaving a security vacuum for existing devices, along with devices purchased before the government guidelines kick in or, more precisely, once vendors start delivering devices that comply with the new standard.

Arun DeSouza, the CISO for $4 billion auto-parts manufacturer Nexteer Automotive, said that he thinks most enterprises have even weaker IoT security procedures than the government. If true, that means that a government standard could significantly improve private-sector IoT security.

“IoT today is a Wild West and nobody cares, except maybe California. I don’t think that most companies have an IoT security standard. That means that they will likely piggyback on something very solid,” DeSouza said. “Nobody has thought it through. Whatever NIST is going to [recommend] will be a big improvement.”

There are a range of other challenges to keeping IoT devices secure. The number of IoT devices that IT and security departments do not know about (and this goes far beyond shadow IT) has grown during the pandemic, with consumer-grade IoT devices flooding many remote sites. Few of these sites create different LANs for corporate equipment and communications and home devices, which makes a remote site an easy back door for IoT attackers. In the area of patching, many IoT units have their own communications capabilities (small antennae) that allow them to download patches and potential malware without IT or security departments’ knowledge.

Peter McLaughlin, partner at Culhane Meadows law firm, said that he hopes the new law will at least force everyone to address the basics. “For enterprise IT and CISOs, the federal requirement will force some attention on establishing non-generic credentials for each device on the network.

What will remain a challenge for those installing these systems is to uphold strong password and credential practices for any number of devices on a network, McLaughlin said. “For those organizations that use a framework for their systems other than NIST, such as ISO 27001 or HITRUST for example, be sure to document the fact of the work and map the relevant NIST controls to those that you have applied.”

Will the IoT Cybersecurity Improvement Act Discourage Bad Behavior?

Charles Edge, the chief technology officer for venture capital firm Bootstrappers, sees the new law backing up CISOs who have wanted to improve IoT security for years.

“It will likely dissuade the use of devices coming in through shadow IT channels such as non-IT departments ordering devices such as voice assistants without taking into account whether they are approved for use on networks,” Edge said. “Fingerprinting for those vendors is simple in a standard LAN or wireless network and so I could see that becoming a requirement. The rollout of public 5G networks could cause some headaches there, so technology similar to rogue access point detection may be required.”

Edge spoke of a large enterprise whose IOT he was involved in a few years ago.

“My contact … was late on the second day, and I sat in the lobby for an hour waiting for him to get started. So he gave me a badge that provided access to the unmonitored server room I was in. He casually mentioned that [the badge belonged to a former employee], but he gave it out because he couldn’t just sit in the server room hovering over contractors and badging them into the room every time they needed to [go in and out],” Edge said. “The point is, people do what they do. We can try to capture the bad behaviors and protect against them and limit the exposure by controlling access. But the weakest link is always with the humans.”