Update: The president signed the Internet of Things Cybersecurity Improvement Act of 2020 into law on December 4, 2020.
A new security bill is awaiting signature by President Trump. It directs the National Institute of Standards and Technology (NIST) to create minimum IoT security standards for devices owned or controlled by the U.S. government. The standards will include use and management of IoT devices, as well as coordinated disclosure of vulnerabilities.
Let’s take a look at how the security bill will benefit organizations that use IoT devices.
Bringing (Some) Order to IoT Device Security Chaos
The lack of security standards has been an issue since IoT devices became popular a decade ago, with their widespread usage outpacing the industry’s ability to agree on how to protect them.
The failure to agree hasn’t been for lack of trying. For the last few years, several industry and government groups created standards to improve interoperability and security of IoT devices, including:
- Cloud Security Alliance (CSA)
- Groupe Spéciale Mobile Association’s (GSMA)
- IEEE Standards Association
- ioXt Alliance
- IoT Security Foundation
- Open Web Application Security Project (OWASP)
- U.S. Department of Homeland Security
In spite of these groups’ efforts, there hasn’t been sufficient incentive for the industry to align around a single set of standards. The result has been a patchwork of guidelines that address only some aspects of IoT device security.
For example, the European Union Agency for Cybersecurity (ENISA) performed a gap analysis on the existing standards related to IoT security and found that “…it is possible to deliver a device to the market that can authenticate its user, that can encrypt data it transmits, that can decrypt data it receives, that can deliver or verify the proof of integrity, but which will still be insecure.”
The current lack of standards on IoT vulnerability reporting and handling means that vendors aren’t under any obligation to disclose or remediate vulnerabilities, leaving millions of vulnerable devices at risk of exploit.
Why This Time Feels Different
This new effort will likely succeed where previous industry efforts have failed, because it’s being carried out on behalf of a customer with very deep pockets – the U.S. government. Although the bill only applies to devices purchased or managed by the government, its purchasing power will provide a powerful incentive for manufacturers to adopt the standards.
Additionally, the U.S. Congress failed to pass two IoT cybersecurity bills in the last session. This bill shifted the focus to the establishment of standards by NIST and gained approval by both the House and Senate.
The Standards Being Developed for IoT Risk and Vulnerabilities
The IoT device security bill calls out four particular areas for the creation of standards and guidelines to manage cybersecurity risks:
- Secure development
- Identity management
- Patching
- Configuration management
It also directs NIST to work with the U.S. Department of Homeland Security, along with “cybersecurity researchers and private-sector industry experts” to publish guidelines for reporting and remediating vulnerabilities. The guidelines will also need to align with “industry best practices” and widely adopted IT standards ISO 29147 (vulnerability disclosure) and 30111 (vulnerability handling).
If you’re curious about NIST’s Cybersecurity for IoT Program, you can review the related standards and provide feedback on proposed standards here.
Waiting for the President’s Signature
All that remains for the IoT device security bill to become law is for the U.S President to sign it. The U.S. Senate unanimously passed it in late November (I admit that I found it hard to believe that this august body could collectively agree on a topic as complex as IoT security standards, but that’s a conversation for another day) after the U.S. House of Representatives passed an identical bill earlier this year.
Risks for IoT Devices in OT
Here are three examples of risks that IoT devices present in OT environments:
Malware: As highlighted in the OT/IoT Security Report webinar, the Nozomi Networks Labs team identified several strains of malware that targeted IoT devices in the first half of 2020, including the Mirai and Dark Nexus botnets. Bad actors are finding success with malware thanks to:
- Rapid growth in the number of IoT devices deployed in OT
- Insecure deployment of IoT devices that are directly accessible through the internet
- Lack of security updates for many IoT devices. This leaves devices vulnerable to common (non-zero-day) exploits by threat actors
- Lack of visibility into IoT device security posture experienced by many asset owners
Vulnerabilities: Palo Alto Networks’ Unit 42 reported that “57% of IoT devices are vulnerable to medium- or high-severity attacks, making IoT the low-hanging fruit for attackers.”
Common Mistakes: OWASP created the OWASP IoT Top 10. It lists the top ten things to avoid when building, deploying, or managing IoT systems, highlighting common mistakes that organizations make when deploying IoT devices.
How to Mitigate the Risks
In spite of the lack of standards, you can still reduce the risks posed by IoT devices in your environment.
Find a visibility and security solution that enables you to:
- See all OT and IoT devices connected to your network and their behavior, for better awareness
- Detect cyber threats, vulnerabilities, risks and anomalies for faster response
- Unify security, visibility and monitoring across all your assets for improved resiliency
The industrial strength Nozomi Networks security solution, including Guardian and our Central Management Console, can help. It combines asset discovery, network visualization, vulnerability assessment, risk monitoring and threat detection in a single solution.
Looking further ahead, the volume of IoT devices expected to be deployed in the next few years will likely overwhelm any on-premises monitoring technology and disrupt your ability to secure your network. Nozomi Networks’ Vantage product can help you address that challenge as well. It leverages the power of SaaS, scaling to protect any number of devices in any number of locations, with a single application.
A Big Step Forward for IoT Security
While the hard work of developing device standards hasn’t been completed, and the bill hasn’t yet been signed into law, this development is a major step forward for IoT security. NIST has been adopted by thousands of organizations, not just in the U.S., but worldwide. A global adoption of IoT device security standards will go a long way towards improving overall industrial and critical infrastructure security.