New IoT Legislation Means Advance Planning is Key

As 2020 wound to a close, the year’s end marked a major milestone in strengthening the security of Internet of Things (IoT) devices and systems. In December, the IoT Cybersecurity Improvement Act was signed into law, raising the priority of cybersecurity across a variety of industries and use cases.

The new law is designed to better incentivize companies to secure the devices they build and sell, and requires the National Institute of Standards and Technology (NIST) to create a new set of standards. The law specifies that NIST should issue guidelines for development, patching, identity and configuration management for IoT devices.

The IoT Cybersecurity Improvement Act also encourages federal agencies to review procurement practices, take steps to better understand how they are using IoT within their organizations and evaluate the specific risks associated with their use cases. Then, it advises them to take steps to apply industry best practices, policies and procedures for procuring IoT solutions. The law also requires that agencies develop guidelines and procedures for managing their risks as they move forward.

A Power Move by the U.S. Government

The new IoT legislation is a positive step to address critical issues that could slow the adoption of new use cases. It’s also important because it demonstrates that the U.S. government fully understands that IoT security is an emerging challenge that must be addressed.

A recent survey of more than 500 security professionals found that IoT devices reside on 84% of their corporate networks. The same study determined that more than 50% of those professionals did not enable security measures beyond basic default passwords.

When the federal government leverages its purchasing power as a way to drive change, its impact ripples across the industry. By asserting that it will purchase devices and solutions only if they meet specific criteria, device and software manufacturers will rapidly follow its lead.

However, although the law is highly ambitious, it is also based on a gradual timeline and will take years to fully implement. It will not make security better overnight, but it does present an essential starting point to prioritize IoT cybersecurity ensure it’s taken seriously.

For Manufacturers, the Time is Now to Plan for Compliance

Building security into design processes takes time, so organizations must take immediate steps to begin planning strategically for security. The most fundamental area to consider is how manufacturers ensure the integrity and confidentiality of data, as well as preventing unauthorized access to critical IoT systems and data.

The IoT is about generating new data that creates actionable intelligence to improve operations, quality of life, or make another type of improvement. Because this new data is being used to influence critical decision making, ensuring the integrity and confidentiality of any data generated and transmitted by an IoT device is a critical step in securing the IoT. If the data can’t be trusted, the value of IoT dramatically diminishes.

In addition to protecting the data, manufacturers must ensure only trusted actors can access or control these devices. Without proper authentication mechanisms in place, IoT devices are an easy target for any malicious actor, and, once inside, hackers could take full control of the device. This could cause potential harm to the end user while simultaneously negatively impacting the manufacturer’s reputation.

After doing some initial discovery and planning, organizations may discover that their processes and practices have vulnerabilities and gaps that need to be addressed. Waiting to address these gaps is a losing strategy.

PKI can Provide a Secure Foundation

A public key infrastructure (PKI) is an important part of securing an IoT device. PKI addresses the common vulnerabilities that are present in all IoT devices – authentication, encryption of data and ensuring the integrity of data.

PKI enjoys wide adoption across a variety of industries and has long been a fundamental standard for ensuring Internet security. For today’s innovative IoT organizations, PKI offers the flexibility to address the needs of all types of devices, and the scalability to allow manufacturers to issue security credentials to millions, or even hundreds of millions of devices.

Ensuring a superior end user experience is important to accelerating adoption of security tools and best practices. PKI offers a transparent experience that is simpler and more intuitive to use daily than traditional password protection. It scales readily and can be tailored and customized to suit specific industry requirements and processes. This adaptability enables organizations to update, or even revoke, digital certificates when circumstances change.

Digital certificates are the key to enabling the necessary IoT security protections. These certificates can be provisioned to devices at any point during the device’s life cycle. Manufacturers can pre-provision certificates to chipsets before going to the manufacturing line, or they can insert the certificate during the manufacturing process. Once in the field, certificates can also be provisioned to a device during a routine update. Selecting a PKI platform that offers deployment flexibility is a critical part of a successful PKI.

As the IoT Cybersecurity Improvement Act takes effect in the coming years, device manufacturers will face closer scrutiny of their processes and best practices. Taking steps to initiate some advance planning now will help device manufacturers ensure that they are fully in compliance as specific mandates of the law take effect.

Avatar photo

Mike Nelson

Mike Nelson is the VP of IoT Security at DigiCert, a global leader in digital security. In this role, Nelson oversees the company’s strategic market development for the various critical infrastructure industries securing highly sensitive networks and Internet of Things (IoT) devices, including healthcare, transportation, industrial operations, and smart grid and smart city implementations. Nelson frequently consults with organizations, contributes to media reports, participates in industry standards bodies, and speaks at industry conferences about how technology can be used to improve cyber security for critical systems and the people who rely upon them. Nelson has spent his career in healthcare IT including time at the US Department of Health and Human Services, GE Healthcare, and Leavitt Partners – a boutique healthcare consulting firm. Nelson’s passion for the industry stems from his personal experience as a type 1 diabetic and his use of connected technology in his treatment.

mike-nelson has 18 posts and counting.See all posts by mike-nelson