A multiyear effort to raise cybersecurity standards in the IoT industry is on the horizon following passage of a comprehensive bill last month that will establish uniform standards for companies operating in the federal market.
Backers of the bill have sought to use the federal cybersecurity baseline to impact the broader enterprise and consumer markets for IoT devices, in a similar way that the EnergyStar rating has impacted wider energy efficiency standards.
"While more and more products and even household appliances today have software functionality and internet connectivity, too few incorporate even basic safeguards and protections, posing a real risk to individual and national security," Sen. Mark Warner, D-VA, said in a statement. "The IoT Cybersecurity Improvement Act — now to be law — leverages the purchasing power of the federal government to establish some minimum security standards for IoT devices."
President Donald Trump is expected to sign the bill, which was passed by the Republican-controlled Senate by unanimous consent. The bill, which has been on his desk since early last week, would take effect this week if he does not sign absent a veto.
"Key industry stakeholders have been moving in the right direction since our last attempt to pass this bill in the 115th Congress, so I think there's a general trend towards better security for these devices," Warner said. "But to ensure that the market for these devices continues to move in that direction, having the purchasing power of the federal government steering it will certainly help."
The technology behind IoT devices has been around for decades. IoT technology is widely used in major industries to control access points and manage other systems.
Industrial control systems have been around since the 1960's and are used in everything from building control systems to power generation facilities, warehouse management systems and healthcare, according to Bill Malik, vice president of infrastructure strategies at Trend Micro. More recently the technology has been used to develop automated thermostats, connected vehicles and home security devices.
The 2016 Mirai botnet attacks exposed the vulnerabilities of IoT devices, leading to massive disruption of internet service in the U.S. Closed circuit cameras lacking the most basic protections, including passwords, security controls and the ability to patch defects.
"Botnets have been targeting low hanging fruit, like consumer IoT devices and exploiting weak security features," said Gonda Lamberink, senior business development manager at UL's Identity Management & Security division. "Once compromised, IoT devices are misused to send huge volumes of data to all types of internet sites and services."
Warner and Sen. Cory Gardner, R-CO, co-founders of the Senate Cybersecurity Caucus, introduced the bill in 2017 and later pushed the legislation through Congress with backing from Reps. Will Hurd, R-TX, and Robin Kelly, D-IL, in the House.
Meanwhile, state legislators passed their own bills in California and Oregon requiring IoT manufacturers to meet minimum security standards on devices sold in those states. Those bills went into effect at the beginning of 2020.
The federal bill calls for the National Institute of Standards and Technology to issue recommendations, at minimum, on secure development, identity management, patching and configuration of IoT devices. The Office of Management and Budget would set guidelines for each agency consistent with the NIST recommendations.
NIST will also work with the Department of Homeland Security and industry experts on guidelines for vulnerability disclosure. Contractors and vendors providing information systems to the federal government would be required to create coordinated vulnerability disclosure policies.
IoT and cybersecurity experts differ on how much this legislation will influence the enterprise and consumer markets. Some experts say the legislation will help drive the private sector to harmonize standards in a way similar to the use of green building technologies.
"This can have the impact of bringing about a de facto national security baseline or standard for IoT devices that the private sector is already working towards and can be built upon further," Lamberink said.
The most established and mature companies often took their products to third-party certification labs for penetration testing and reviews of various design, manufacturing and life cycle processes, according to Sequitur Labs, a Fall City, Washington-based firm that develops security technology for IoT devices.
"At the end of the day a lot of it comes down to the risk or liability associated with the product, or loss of brand or the risk to the customer," said Philip Attfield, co-founder and CEO of Sequitur Labs.
The large system integrators already in the federal space will likely be the first to comply, and will push the new standards down the supply chain, he said. The impact on IoT products in the consumer space will be far more limited.
Despite widespread optimism, others are more cautious on the immediate impact of the legislation, as market pressures may lead some companies to parse out their product inventory to meet the new federal regulations, while maintaining a more competitively priced offering for non-government business.
"Vendors to the U.S. government will create separate SKUs for devices intended to comply [with] these rules," Malik said. Consumers and enterprises may be willing to pay for the higher prices versions if they want, but will typically buy the less secure, lower cost choice, he said.