While a variety of highly visible newsworthy events were occurring during 2020, a critical advancement in the world of cybersecurity quietly passed through the House and Senate to be signed into law. The Internet of Things Cybersecurity Improvement Act of 2020 was signed by the president on December 4, 2020. It requires all internet of things (IoT) devices owned or controlled by the government to meet specific minimum security standards. This includes devices purchased with government money.
The IoT bill was passed by the House of Representatives in September and unanimously approved by the Senate in mid-November to be signed by the president in early December, making the route to existence look deceptively easy. In reality, over three years of bipartisan efforts went into creating the IoT bill. Early drafts were littered with waivers and loopholes that eliminated the bill’s potential effectiveness. These versions never made it to the Senate floor.
During a year when a bipartisan agreement seems like a feat in itself, the unanimous passing of the bill could have likely gone either way, but growing threats pointed to the dangers of leaving the risks unaddressed. In the nearly four years since the bill was introduced, the IoT has more than quadrupled in growth and has been introduced to homes and a variety of industry settings. With no sign of IoT growth slowing down, ignoring security concerns is like leaving the door to many types of sensitive information wide open.
While minimal security for one group of devices might seem like a small advancement, it provides a powerful step toward a secure future. There’s no doubt the internet of things is rapidly growing and will continue to do so with the implementation and spread of 5G connectivity. The IoT makes daily life more efficient and productive and provides crucial advancements in certain industries, but explosive technological growth isn’t without considerable risks. When manufacturers are pushed to market at such a rapid rate, security becomes an afterthought. It’s considered an expensive add-on that delays progress. Still, IoT devices have the same security vulnerabilities as all other connected devices. Furthermore, these devices are designed to interact with wireless networks and a variety of connected devices that house sensitive data. Leaving these devices susceptible to security weaknesses can potentially provide a point of vulnerability in entire networks.
It’s true that the IoT bill isn’t a comprehensive solution for all the potential vulnerabilities of IoT devices, but it’s a step in the right direction. Setting security standards for government-issued devices provides a framework that manufacturers for commercial products will likely follow. Certain provisions in the IoT bill have the potential to speed up this natural progression as well.
To understand the importance of the IoT Cybersecurity Improvement Act, it’s important to get a thorough understanding of the scope of the internet of things and the potential risks that exist.
What is the Internet of Things?
The internet of things (IoT) is a term used to describe objects (things) that are embedded with the technology to connect and exchange data with other devices and systems through the internet. While many people are familiar with the term and have a vague definition of devices that fall into the category, it’s rare to understand the full scope of objects that use the technology and how it actually works.
Typically, when you think of things that are connected to the internet, your devices with a screen and keyboard come to mind. These devices don’t fall under the IoT umbrella. Instead, the IoT describes the growing number of electronics that aren’t computing devices but are connected to the internet to send and receive data. This covers an enormous group of things used in homes, vehicles, and a variety of vastly different industries. Most often, IoT devices have no screen or keyboard and communicate information with little or no human interaction.
For many people, a smart home is a quick fix explanation for IoT devices. While it’s accurate, it barely scratches the surface of the sheer volume of items that use the technology. For instance, many people use smart light fixtures and energy-saving appliances that use sensors to detect and relay temperature or share other information, though these individuals wouldn’t consider the home a “smart home.” Devices in the IoT category range so widely in use that it’s practically impossible to recognize the full scope. For instance, fitness trackers are IoT devices, but so are some pacemakers and automated vehicles that move products in warehouses.
In the same way that computers, the internet, and smartphones have changed the way people connect with the world, the IoT shows promise to provide even more advanced connections and a more streamlined, convenient lifestyle. However, like all computing devices, IoT devices need security to prevent them from becoming more of a danger than a productive, useful tool.
4 Ways IoT Devices Can Pose Cybersecurity Risks
Although devices like thermostats and fitness trackers likely have little need for security standards, many IoT devices are connected to an organization’s entire network. This spells danger for any facility required to store sensitive information. If a device has inadequate security, it can provide hackers with an entry point and the potential to move laterally within a network to introduce malware or DDoS attacks. These are some of the most common reasons IoT devices present security issues.
- Hardcoded passwords that aren’t changed after purchase: These passwords are used on a large scale and once they’re disclosed, can provide widespread access to many networks.
- Devices with the inability to update: Running outdated versions of technology eliminates the ability to patch vulnerabilities and also leave these vulnerabilities exposed.
- Communication between devices: IoT devices can communicate with each other across secure network connections without human intervention, potentially allowing insecure endpoints to expose sensitive data.
- Lack of privacy protection: Many IoT devices collect and store user’s personal information to complete a process. This personal information can be compromised if weak security measures are bypassed.
The weaknesses found in IoT devices have the potential to be exploited on a large level. The Mirai DDoS botnet attack is the clearest illustration of these capabilities. In fact, it may have been the proof that prompted the acceptance of the IoT bill.
A Summary of the IoT Cybersecurity Improvement Act
A clear definition of the scope of IoT devices makes it easier to see why security is such a big deal. When you consider the implications of medical devices giving hackers an entrance into the sensitive data of an entire hospital, you may wonder why these measures weren’t introduced several years ago. Unfortunately, in the world of cybersecurity, a threat often has to be realized before security measures are taken. Now, that we are becoming more aware of the potential security threats of IoT devices, security standards are beginning to take place. While the IoT Cybersecurity Improvement Act isn’t a complete solution, it provides the following security standards.
- Requirements for the National Institute of the Standards of Security (NIST) to publish standards and guidelines for the use and management of IoT devices owned or controlled by the federal government, including minimum security requirements for managing cybersecurity risks
- Requirements for the Office of Management and Business (OMB) and the Department of Homeland Security (DHS) to review the federal information security policies based on NIST security guidelines and make changes to comply with NIST recommendations
- The security standards will be reviewed and revised as necessary every five years by NIST, and OMB policies will be updated to reflect new NIST guidelines
- Requirements for NIST to publish guidelines for IoT vendors to report security vulnerabilities upon discovery and the resolutions of these vulnerabilities when they’re developed
- Requirements for OMB and DHS to develop and implement policies for reporting security vulnerabilities based on NIST guidelines
- Agencies are prohibited from procuring or using IoT devices that don’t comply with NIST guidelines
What It Really Means
The Internet of Things Cybersecurity Improvement Act of 2020 begins by defining IoT devices covered by the bill. The official definition describes IoT devices as physical objects equipped with at least one sensor or actuator for physical interaction and at least one network interface that can function on their own without acting as a component of another device. Not surprisingly, IT devices like smartphones, computers, and laptops are excluded. Also excluded are devices needed for national security and those required for research.
Instead of creating specific security for government IoT devices, the bill appointed NIST to create the framework and standards for IoT vendors and users. This isn’t surprising since it provides a fluid system that can keep up with the changes that constantly occur in technology growth. Still, NIST compliance requirements send an important message that suggests the requirements will be adopted across the spectrum of IoT devices.
NIST standards have long provided the security framework for federal agencies and businesses in a variety of industries. Maintaining NIST compliance provides industries with a common language that allows them to keep up with federal, state, and local compliance laws. It also provides vendors with an essential standard of manufacturing and consumers with a safety net when making purchases that could compromise sensitive information. Although the current bill only requires NIST compliance within federal agencies, vendors producing IoT devices are likely to adopt these standards for all devices instead of creating multiple versions of the same product.
Receiving and Disclosing Security Vulnerabilities
Besides creating minimum standards for IoT cybersecurity, NIST is tasked with outlining guidelines for a system to report potential security vulnerabilities and the resolutions to these risks. This development addresses some of the biggest security issues that plague IoT devices. Since vendors will be required to provide solutions for potential cybersecurity risks, IoT devices will likely be developed with the ability to update for better security measures and with provisions to apply patches as needed.
While the details haven’t been disclosed yet, it’s likely vendors will have to establish programs to receive information about potential security risks and publicize the solutions for these vulnerabilities. The ability to share this information provides widespread protection for all agencies, companies, and individuals using a product.
Since the bill only applies to government devices, these disclosures could present new challenges for the private sector. As security vulnerabilities are made public, hackers and other cybercriminals could have an opportunity to exploit this information. While vulnerabilities will be addressed immediately within federal agencies, hackers may use this new information to target private and business sectors. There’s little doubt that vendors are aware of this potential, and it could lead to stronger security measures to be applied automatically to new IoT devices designed for the private sector as well.
Alternate and Effective Methods
While the IoT bill doesn’t provide a complete solution, it’s the only legislature to provide security regulations for IoT devices. While each part provides early steps for infrastructure to complete IoT security, a provision in section 7 creates an interesting burden for providers of IoT devices. After providing waivers related to national security and research, Section 7 (c) waives devices “secured using alternate and effective methods appropriate to the function of the device.”
While the bill doesn’t provide specific language that defines alternate methods, it could suggest that the burden of security testing and identifying security vulnerabilities will ultimately fall to the vendors of IoT devices. This would likely require the introduction of third party testing that includes assessing the risks for connected software. These additional requirements would likely provide added incentive for all IoT devices to meet NIST compliance standards throughout the development process.
Security measures are most effective when applied quickly, and the IoT bill has created a series of deadlines for the requirements to take effect. Here’s how quickly you can expect action to take place on the new requirements.
- March 5, 2021 marks the 90 days provided for NIST to develop and publish security standards for IoT devices.
- June 3, 2021 marks the 180 days provided for NIST to develop and publish guidelines for receiving and reporting potential security vulnerabilities of IoT devices used by federal agencies.
- September 5, 2021 marks the six-month window provided for OMB and DHS to review, revise, and implement the minimum security standards outlined by NIST.
- December 5, 2022 marks the two-year deadline provided by the bill which prohibits federal agencies to enter or renew a contract involving IoT devices that aren’t compliant with the NIST security standards and guidelines. It also marks the deadline provided for OMB and DHS to implement the policies defined by NIST to address security vulnerabilities.
One of the most notable things about the IoT cybersecurity improvement bill is the fact that it only covers IoT devices purchased and used by the federal government. While this isn’t ideal, it’s an effective way to get the right security measures in the door. The U.S. government’s purchasing power creates a powerful incentive for vendors of IoT devices to develop all devices in compliance with the guidelines outlined by NIST. Although business and personal IoT devices aren’t included in the bill, it’s likely these items will organically follow the same path.
Applying Security in High-Risk Industries
While it’s clear the IoT bill doesn’t immediately affect personal IoT devices or those used in many business industries, the implications are murky for some industries that receive federal funding. Healthcare facilities and higher education institutions are heavily affected by cybersecurity risks, malware, and potential DDoS attacks. Many of these organizations also fall under a variety of federal agencies and could be subject to the new compliance regulations immediately.
Federally Funded Hospitals
Federal hospitals are those that are run and funded by the federal government. Veteran’s Administration (VA), Department of Defense (DOD), and the Department of Health and Human Services (DHHS) run federally funded hospitals. These hospitals follow compliance requirements for both federal agencies and hospitals. However, many other hospitals and healthcare facilities are funded by federal government agencies and likely will be impacted by government regulations.
While IoT devices have provided a variety of personal conveniences for consumers, the implications for these devices in the healthcare field have exploded. During the midst of a global pandemic when remote access to healthcare has become a necessity in practically every area, these devices have provided essential care that might have otherwise been impossible. Unfortunately, healthcare facilities aren’t immune to cyberattacks and IoT devices have the potential to provide new vulnerabilities. If the new regulations are immediately observed in healthcare facilities, many of these vulnerabilities will be addressed.
Higher Education Institutions
Colleges and universities handle tremendous amounts of academic data and sensitive personal and financial information of thousands of students and faculty members. They also have massive networks that are easily accessible to students and staff. This makes these institutions a prime target for cyberattacks.
Classrooms in K-12 schools and higher education institutions have been taking advantage of the learning opportunities and convenience provided by mobile devices for decades. Personal and school-provided devices are connecting to education networks both in the classroom and at home. The virtual learning landscape introduced by restrictions related to the COVID-19 pandemic amplified this use exponentially. Educational environments are also accustomed to the use of IoT devices. However, certain malware attacks target IoT devices like printers, routers, IP cameras, and personal devices.
Colleges and universities are prime spots for the use of IoT devices. Innovations in technology provide students with convenient living upgrades, assisted public travel, and new learning opportunities. One program even implemented a system that allows students to link to printers or projectors simply by snapping a smartphone picture of the device. This also provides a wealth of devices with potential security vulnerabilities for hackers to exploit.
Higher education institutions fall under a variety of government regulations designed to protect both schools and financial institutions. They have also been subject to other NIST federal compliance regulations. Historically, higher education institutions have been required to follow federal compliance regulations based on federal funding and interaction with the Department of Education (ED). For instance, FERPA and PPRA apply to schools that receive funds or are under an applicable program of ED. However, GLBA compliance is mandated for schools that receive federal funding. Based on past compliance regulations for colleges and universities, it seems likely these institutions will fall under the IoT compliance bill.
Preparing for IoT Compliance
If you’re responsible for cybersecurity in any organization that receives federal funding, you’ll likely be directly affected by the IoT bill. While this means a variety of industries are subject to additional compliance regulations and potentially cumbersome procedures to maintain them, it speeds up the complete implementation of overall IoT cybersecurity improvements. Although it’s impossible to predict the exact safety measures NIST will provide for IoT vendors, it is possible to start enacting certain safety measures to help propel a smooth transition. During the months leading to the reveal of new regulations, prepare your organization with these steps.
- Establish a policy to define who is allowed to introduce new devices to the system and the types of devices that can be used.
- Educate users. Everyone, from students in colleges and universities to employees in a variety of industries, can appreciate the convenience supplied by new technology. All users should be educated about the potential risks of these devices.
- Strengthen Security. Cybersecurity is a massive undertaking that requires immense amounts of data to be categorized and translated into digestible information. Investing in analytics and monitoring tools can provide security solutions that are impossible to implement manually.
BitLyft Cybersecurity is an experienced cybersecurity organization with extensive experience working with the intense demands of cybersecurity compliance for a variety of industries. Higher education systems, manufacturing industries, and financial services are often subject to stringent compliance regulations that can lead to serious consequences when unobserved. It’s our goal to provide customized cybersecurity systems to organizations to make NIST compliance and all security regulations a simple process that grows with your company. Get in touch to learn how we can help you prepare for the regulations of the 2020 IoT bill.