Image: iStock/BeeBright

President Donald Trump signed the Internet of Things Cybersecurity Improvement Act into law this month, codifying what many cybersecurity experts have long begged for—increased security protection for the billions of IoT devices flooding homes and businesses.

In recent years, an array of items and household appliances have been turned into internet-connected devices, with some estimates predicting there will be 41.6 billion IoT devices in the field by 2025 and over $1 trillion spent on them by 2023.

This bill requires the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) to “take specified steps to increase cybersecurity for Internet of Things (IoT) devices.

SEE: 5 Internet of Things (IoT) innovations (free PDF) (TechRepublic)

The explosion and expansion of IoT devices into everyday life has coincided with an increase in devastating attacks that leverage their insecurity to cause as much damage as possible, most notably seen with the Mirai botnet attacks in 2016.

Brad Ree, CTO of the ioXt Alliance, works with government organizations, manufacturers and top tech companies to create universal security standards for connected devices across product categories.

In an interview he called the law “a huge milestone for the industry” and said it was important that the public and private sector could come together and create a set of minimum security requirements.

“Though this bill is targeted at government purchases, I fully expect network operators, consumer ecosystems, and retailers to follow with similar requirements for consumer products,” he said.

Andrea Carcano and Edgard Capdevielle, the co-founder and CEO of IoT cybersecurity company Nozomi Networks, hailed the law as an important first step in ensuring that IoT device makers improve the security of their products.

The company recently released a survey that found in the first six months of this year, hackers used IoT botnets and shifting ransomware tactics as their weapons of choice for targeting IoT devices in operational networks.

“While the hard work of developing device standards hasn’t been completed, NIST involvement will help drive global adoption of IoT device security standards that we believe will go a long way toward improving overall industrial and critical infrastructure security,” Capdevielle said.

The IoT device security bill calls for the creation of standards and guidelines to manage cybersecurity risks: Secure development, Identity management, Patching, Configuration management. It also directs NIST to work with the US Department of Homeland Security, along with cybersecurity researchers and private-sector industry experts to publish guidelines for reporting and remediating vulnerabilities.

Chloé Messdaghi, VP of strategy for Point3 Security, said the cybersecurity industry was excited about the law because it required standards for all government-procured IoT devices, which essentially mandates that all newly manufactured IoT devices will meet cybersecurity standards.

The law also forces government agencies procuring IoT devices to operate Vulnerability Disclosure Programs – something she said CISA was trying to mandate.

“Vulnerability disclosure policies are an important tool in strengthening organizational cybersecurity.”

Vdoo is a platform that uses AI to detect and fix vulnerabilities in IoT devices, and its vice president, Yaniv Nissenboim, said he expects federal agencies to quickly adopt the new set of NIST guidelines and insist on compliant products.

He also expressed hope that the law would have a trickle-down effect and force state governments to follow suit. In turn, this would force the IoT device industry to make cybersecurity a priority.

“Companies that fail to demonstrate compliance might find themselves shut out of lucrative target markets for their IoT devices at some point. We expect similar regulations and standards to emerge outside the US as well,” Nissenboim said.

Former CIA Intelligence Officer and KnowBe4’s senior vice president of cyber operations Rosa Smothers also noted that the law requires Homeland Security to revise IoT device security recommendations up to every five years as the attack surface evolves.

“In my view, the greatest potential impact of H.R. 1668 is the mandate that government contractors who develop or are vendors of IoT devices must implement a program to report vulnerabilities and remediations; since the federal government is the largest purchaser of goods in the United States, this requirement can have a beneficial ripple effect throughout the private sector,” Smothers said.

Longstanding IoT security concerns

Cybersecurity experts have long complained that IoT device makers were not doing enough, or really anything, to secure devices that could theoretically give attackers access to an entire network.

Lou Morentin, vice president of compliance and risk management at Cerberus Sentinel, said little to no thought has been given to device security and the technology embedded in each new iteration of these devices brought new leaps in functionality and ease of use but came with a cost.

“Because many of these IoT devices did not have any security controls, they could potentially access networks and data. Many of these devices also found their way into secure environments like the Department of Defense and healthcare, for example. The technological leaps can also cause vendors to abandon devices in favor of the latest and greatest version; this leaves many vulnerable devices in the wild. Vendors had no requirement or reason to build in security; they were selling products,” Morentin said.

“Unfortunately, this provided a gateway for malicious actors to compromise consumer and now the government and industry environments to exfiltrate data. By requiring manufacturers to require some level of security, this could help to at least slow down or, in some cases, prevent the compromise of confidential data.”

He explained that some states, like California, are attempting to require vendors to begin to have some basic security features in IoT devices. But laws at the national level will force manufacturers who want a seat at the table to build security into their devices.

Stefano De Blasi, threat researcher at Digital Shadows, said the rise of 5G would no doubt spur an even greater explosion of IoT devices. But connecting these devices to private corporate networks expands attack surfaces and potentially exposes sensitive data such as medical records, personally identifiable information, and workplace plans.

“One of the main problems with IoT security at the present is that the rush to market often de-prioritizes security measures that need to be built into our devices. This issue has made many IoT devices low-hanging fruits for criminals interested in stealing sensitive data and accessing exposed networks,” he said.

“Criminals can exploit vulnerable products by leveraging their computing power, and orchestrate massive IoT botnet campaigns to disrupt traffic on targeted services and to spread malware. Not only does this act demonstrates awareness of this crucial security issue, but it also sets an important precedent that can—and should—inspire other countries and organizations to follow.”

IoT devices are no less susceptible to security vulnerabilities than traditional web or mobile applications, said Peter Monahan, director of global solutions architecture at WhiteHat Security.

The majority of IoT applications are designed to interact with any number of APIs, which may also be equally susceptible to security weaknesses, but which are frequently developed and distributed by external third parties.

“This creates a significant challenge in summarizing the overall security posture of any particular device, depending upon its intended implementation by the federal government,” he said.

Expansion beyond government devices?

The bill was not without critics. Some experts questioned why the act was limited to only government owned or controlled devices and not the entire industry.

Terence Jackson, chief information security officer at Thycotic, said that while IoT devices used on government networks are important, legislation mandating the security of all IoT devices would have gone further in providing a more comprehensive approach to IoT device safety.

“This may in fact create increased sales for companies as they may introduce ‘Government’ grade IoT devices that will cost more. It will be interesting to see if companies improve the security of their consumer grade products as a result of this standard,” Jackson noted.

The diversity of capabilities and price points of IoT devices now puts pressure on manufacturers to rush devices to market, leading companies to often cut corners, particularly with cybersecurity, according to Chris Hazelton, director of security solutions at Lookout.

There are now hundreds of millions of devices out in the wild that only have simple default admin passwords, he explained, creating a massive attack surface for any organization that deploys and relies on these connected devices, he added.

Hazelton noted that NIST has previously put in place guidelines for implementing mobile security for smartphones and tablets that have even been adopted broadly, including outside of government such as professional sports teams.

The hope, he said, is that the same happens for IoT devices now that the law has been passed and signed.