IOT Cybersecurity is Now Law

Cybersecurity appears to possess the rare common ground between seemingly increasingly combative political parties.  On December 4, 2020 President Trump signed into law the “Internet of Things Cybersecurity Improvement Act of 2020” (“IOT-CIA”).  The act enjoyed bipartisan support to push the security of IOT devices through the power of the government.  The law requires the federal executive branch to meet certain minimum requirements when using IOT devices and requires agencies to purchase only IOT devices which meet these minimum standards.

IOT Devices in General

The Internet is becoming more and more crowded with IOT devices.  There are an estimated 127 IOT devices being added to the Internet every second!  

IOT devices are generally any device that can transmit data across the Internet automatically without any human or manual intervention.  Devices that fall under this category include consumer items such as thermostats, security cameras, or light switches; commercial items such as healthcare devices, monitoring systems, or GPS devices; and industrial items such as control systems for manufacturing or delivery systems.  Each of these devices can transmit and receive data and are capable of control by remote users and hackers.

As IOT devices gained prevalence, the processes they control also increased in complexity, however, this also means that hackers have potential access to the same complex processes and systems.  As the level responsibility of IOT devices has risen, so has the possible damage due to hacking, hastening the need to secure these devices.

IOT devices for many years came pre-programmed with known root names and passwords.  There are webpages full of default usernames for things like printers, routers, camera, DVRs, and other smart machines.  Studies over the years have shown that often the final users or consumers do not change the default usernames or passwords.  Combine this with the fact that hackers can use automated scripts to scan for and log into devices and what we’re left with is a ready-made cyber-security event waiting to happen.

NIST Requirements and Guidelines

The IOT-CIA requires the National Institute of Standards and Technology (“NIST”) to create a set of standards for the use and management of IOT devices within 90 days.  These standards will address possible security vulnerabilities, management of devices, secure development, identity management, patching, and configuration management.  The information will be used to report, coordinate, publish, and receive information about vulnerabilities, as well as the resolutions of the vulnerabilities for any agency, contractor, or subcontractor.

Once the standards are defined by NIST, the Director of OMB will have 180 days to publish guidelines for agencies who use or control IOT devices (except for national security systems) then agencies will be prohibited to procure, obtain, or use devices which are not in compliance with the standards.  The idea for the IOT-CIA is that through the power of procurement by the federal government, the government can begin to force manufacturers of IOT devices to meet or exceed NIST standards before selling the devices to state or local government or to consumers.

The law also requires NIST to report, coordinate, and publish information about vulnerabilities related to IOT devices and provide resolutions to the security vulnerabilities.  

Summary

The government is leading the way to a more secure standard in IOT devices by forcing the federal agencies to only purchase or use devices which can be secured in accordance with its established standards.  Further, the publishing of vulnerabilities by NIST will lead to a more coordinated effort that identifies and tracks vulnerabilities in IOT devices.   Once fully implemented, we can all rest assured that the camera in our house or the IOT device in our refrigerator, as well as the devices in industrial, manufacturing, and government use meet the new, higher standards.