Editor's note: The following is a guest article from Justin Fier, director of cyber intelligence & analytics at Darktrace.
2020 saw a massive spike in the exploitation of vulnerable software and devices across every industry, targeting companies of all sizes, from private businesses to numerous federal agencies.
The IoT Cybersecurity Improvement Act signed into law in December 2020 with bipartisan support mandated federal agencies adopt and update minimum information security standards. The bill was meant to ensure a set of standards for a crucial, yet highly vulnerable, part of our tech infrastructure, but industry still has a way to go before reaching a sizable impact in a world full of internet-connected devices.
The IoT industry moves at a lightning speed — making it hard for the government to keep up with laws and regulations. Industry must strive for security to keep up with the pace of innovation. While the law is a big step in the right direction, we are already late to the game.
In its current state, the IoT Cybersecurity Improvement Act does not go far enough to deal with legacy edge IoT devices in the private sector and does not include a clear plan of action to address these critical areas.
Steps companies must take to evaluate IoT security
Visibility is still the No. 1 problem most organizations face. As networks become more connected and reliant on third-party sources like cloud and SaaS applications, it is evident that most companies continue to have massive blind spots.
As businesses begin the lengthy process of reopening offices, a whole new host of IoT devices, like FLIR cameras, environment sensors and AI enabled facial recognition, will enter office buildings and bring a new set of security challenges.
New forms of attacks are inconspicuous, and can remain in a network for weeks, or even months, before being detected. If organizations are unaware of where or how many devices are on their network, how can they possibly keep track of abnormalities or breaches?
Many organizations seem to have decided that the benefits of IoT devices outweigh the security concerns, and have accepted risk, but is that accepted risk too high? Recent examples include numerous vaccine fridges, security cameras, and badge readers with simple problems like default credentials being sent in the clear or no credentials.
These things are easy to fix, and there should be accountability systems in place to ensure that companies comply with baseline security measures for IoT devices.
Supply chain considerations
There are already ramifications if a company is selling and deploying insecure IoT devices to millions of customers. Think back to the Ring home security device hack, when hackers used Ring doorbell systems to gather personal information from customers, as well as network access.
Concerns were raised over whether or not home security is worth the risk, considering a hacker might obtain live video into their personal lives. To address this issue, Amazon, Ring's parent company, introduced two-factor authorization for the entire Ring platform.
Two-factor authentication is one example of a baseline security measure that IoT companies should implement across their product lines, and not wait for a massive breach to force the issue.
But the enforcement of new standards must also address the greater supply chain issues at play here. Since many IoT device components are imported, and different pieces of hardware and software are manufactured from different suppliers, there is always the chance that the end product is insecure and has vulnerabilities because of one piece along the way having been manipulated.
Call to action for federal standards
Uniting an organization's tech decision makers around careful governance standards and a sustainable vision for edge IoT devices is the only way to guarantee the effectiveness of the IoT Cybersecurity Improvement Act. The law will otherwise be admirable, as a lofty future goal, but will remain limited in scope, in practice and in reality.
Before the law was signed, the National Institute of Standards and Technology (NIST) IoT security recommendations had been voluntary – now that government entities must comply, the next step is to lay out a specific set of actions to enforce the cybersecurity requirements for industry as well.
Beyond government entities, it is imperative for U.S. companies to address the law with careful consideration of cyber governance throughout their systems, including all edge IoT devices. Companies must take the necessary steps to evaluate, retrofit and/or replace legacy IoT devices with more secure technology.
As businesses embark on many "new normals," IoT device manufacturers will need to start taking these steps and heeding this guidance now, by thinking about security as they build their devices as opposed to afterwards — because this law sets up a new normal in IoT security.
Next, the FCC, FTC and other federal regulatory bodies addressing commerce must adopt the same standards and enforce industry cyber vigilance. All government entities should begin to enforce the same standards for security in IoT devices and NIST requirements should be adopted by all, not just some, for us to tackle the problem.
As industry has seen in the last sixth months, cyberattacks in the public sphere bleed over into the private sector and we must prepare both to better handle the rising issues presented by insecure IoT devices.
Simply put, this law must become a call-to-action for public and private organizations to re-examine IoT security and enforce compliance with these new standards. Legislation like the IoT Cybersecurity Improvement Act can change the way manufacturers prioritize security — and create a new normal in the world of IoT.