Last week, a bipartisan group from the US Senate Cybersecurity Caucus proposed a new piece of legislation called the “Internet of Things Cybersecurity Improvement Act of 2017.” While the bill has yet to be ratified, it places more intense focus on securing the billions of devices that will be given network and internet connectivity over the next few years.
CSS is strongly in favor of this legislation. While we're pleased to see strategy and dollars allocated towards increased IoT security in certain industry segments such as automotive, medical, and the industrial internet - in most cases weak security practices out number the stong. There are far too many IoT scenarios where vendors are simply not motivated to spend extra time or money to make the devices more secure, and where consumers do not see value in paying for the additional security. The Marai Botnet is a prime example of the ramifications of this problem. And where normal free-market dynamics aren’t leading to proper security measures being taken, legislation may become the only option in certain market segments.
For those that haven’t read the legislation, here are a few quick facts, based on my reading of the bill:
What devices does it cover?
This bill only covers Internet-connected devices purchased by Federal agencies. However, there will likely be some collateral impact to consumer and private-sector devices as well, because many devices would be purchased by both public- and private-sector organizations. In addition, federal legislation of this kind can serve as a template for future regulation in more specific areas.
What requirements are placed on IoT devices?
The primary provisions that the bill lays out are pretty straightforward:
- Devices should not contain known security vulnerabilities or defects.
- Devices must be capable of being securely updated, in a timely fashion, with authorized patches from the vendor. This, of course, is a necessity to meet item #1, as new vulnerabilities are discovered. The authorization of the updates and patches is an area where IoT implementers have fallen short in the past.
- Devices should use only industry-standard protocols and technologies for encryption, authentication, and communications.
- Devices should not contain hard-coded administrative credentials. This should be a no-brainer, but has probably been the single-biggest cause of IoT “horror stories” so far.
Does every device have to meet these requirements?
No. The bill does account for devices with “severely limited” functionality, and even allows for non-compliant devices to be purchased, as long additional security controls are put in place that reach a similar level of security.
The bill also sets up the beginnings of a security ecosystem around IoT devices, with provisions such as:
- Identifying roles for 3rd-party contractors who can audit devices against the standards,
- Protections for white-hat security researchers who try to find weaknesses in devices and notify the vendors,
- Guidelines for vendors on timely disclosure and patching of vulnerabilities when they are discovered.
All of these provisions are sensible, and in many ways mirror the manner in which more conventional software security analysis and patching has been handled for quite some time. For now, this bill is simply a small, but good first step. And anything that brings more attention to improving IoT security is a good thing.