Security on Internet of Things (IoT) devices saw a significant advance in December with the enactment of a federal law requiring improved security on the devices.
The bipartisan legislation, sponsored by Reps. Robin Kelly, D-Ill., and Will Hurd, R-Texas, and Sens. Mark Warner, D-Va., and Cory Gardner, R-Colo., requires that any IoT device purchased with government money meet minimum security standards. President Trump signed it into law Dec. 4.
The new law requires IoT device manufacturers to follow security standards and guidelines for any IoT device a manufacturer seeks to sell to a federal government customer. Security experts hope the standards encourage manufacturers to improve security on all their devices for sale across markets, including for high-value targets in finance and healthcare, and consumers as well.
The Act affects devices with at least “one sensor or actuator for interacting directly with the physical world,” have at least one network (Internet) connection, and are not smartphones, tablets or laptops. Additionally, the Act covers devices that can function on their own.
The standards and guidelines manufacturers must follow are still being developed by the National Institute of Standards and Technology (NIST.) It has 90 days from Trump’s signature to establish the guidelines currently available in draft form for public comment.
The Act directs NIST to develop a framework for secure development, identity management, patching, and configuration management. There are also requirements for reporting security incidents and vulnerabilities to federal agency and federal contractor customers.
There are also provisions for ongoing review of the cyberthreat landscape and updating the framework as needed.
Cybersecurity experts have long complained that IoT devices with little or no security were flooding the market as consumers enjoyed the ease of checking home security footage, thermostat settings, lighting, even the balance of foods in their refrigerators.
The same concerns apply for organizations using remote access to check security cameras, printers, and access control systems.
All such devices connect to the Internet with little or no security to allow remote monitoring. Cybercriminals have easily taken over the devices to spy on people in private homes or crack access to corporate networks and their business data.
You can read more about NIST’s approach to IoT devices here.