Alexa, do you have secret clearance? A bipartisan act for internet of things (IoT) cybersecurity passed in March 2019 and manufacturers, agencies, and contractors are listening closely for next steps.
With cybersecurity at the top of the government’s agenda, the IoT Cybersecurity Improvement Act of 2019 sailed through Congress with unusual ease. Past attacks on these devices have motivated leadership across private and public sectors to support stricter regulation, which the act is now introducing.
It tasks the National Institute of Standards and Technology (NIST) with developing strategy and guidance to strengthen internet of things cybersecurity. The institute will impose new testing and reporting requirements on vendors and rigid IoT acquisition requirements on departments and agencies.
To pull off these efforts, NIST will need to develop an internet of things cybersecurity strategy using existing resources such as the national information assurance partnership for product testing, standardized vulnerability reporting using the common vulnerability scoring system, and enable easy integration with the risk management framework and continuous diagnostics and mitigation processes.
Tackling internet of things security concerns
Gartner predicts that 20.4 billion internet of things devices will be connected to the internet by 2020. With this massive growth on the horizon, the potential for exploitation by malicious actors has escalated as well.
IoT devices are known for poor security practices like default passwords. Until now, no national standards existed for manufacturers to follow, leaving insecure devices wide open for hackers.
The new IoT cybersecurity improvement act’s purpose is “to leverage Federal Government procurement power to encourage increased cybersecurity for internet of things devices, and for other purposes.” The legislation hands off decision-making to the National Institute of Standards and Technology in terms of execution.
The institute will need to ensure the processes it defines are efficient and effective to succeed. In other words, it will need to utilize and integrate its solution into current federal cybersecurity workflows as seamlessly as possible.
Implementing new rules for agencies, contractors, and vendors
The institute’s publications, as required by the act, will include policies and procedures for contractors and vendors providing an IoT covered device to the Federal Government. These issuances will cover the distribution of information about potential security vulnerabilities relating to covered devices and the resolution of security vulnerabilities.
The new rules will prohibit agencies from acquiring or using any covered device from a contractor or vendor that fails to comply with the institute’s IoT cybersecurity guidance.
NIST’s strategy may involve leveraging its existing partnership with independent laboratories to support common criteria testing of commercial products against “protection profile” security capability targets.
If IoT reports—obtained from national information assurance partner labs or elsewhere—map discovered vulnerabilities to the institute’s extensive national database and leverage the scoring system and automation protocols, agencies should be able to easily integrate IoT vulnerability reporting with NIST’s current risk management framework and continuous diagnostics and mitigation workflows. This efficiency would allow managers and cybersecurity support staff within agencies to assess IoT risks case-by-case, on an individual implementation level, and to make appropriate risk-based decisions regarding usage.
The common criteria testing of products to protection profiles by the partnership’s independent laboratories is long, arduous, expensive, and paid for by product suppliers. However, there is precedence for IoT suppliers running the common criteria gauntlet.
In 2017, LG’s webOS 3.5 smart TV platform was recognized with a common criteria certification for its enhanced application security solution version 1.0 software.
As more manufacturers learn to navigate the system, the industry may voluntarily apply the new standards to all internet of things devices, not just those sold to the government. This move would afford the same level of security to the public, but it is not part of the required compliance measures.
Recommendations for rollout
Pragmatically speaking, large scale IoT cybersecurity vulnerability assessment and reporting will need to be significantly more efficient than the common criteria international standard, though it may benefit NIST to leverage the national information assurance partnership with independent laboratories.
The institute will best serve its constituency by developing internet of things vulnerability testing and reporting guidance designed to integrate with existing cybersecurity and risk management standards and processes. Some of these standards include the risk management framework, continuous diagnostics and mitigation, national vulnerability database, and common vulnerability scoring system—all already in use throughout the Federal Government, segments of critical infrastructure, and private industry.
Beyond policy and vulnerability testing, IoT cybersecurity will also require protection and defense missions. The 2019 act helps ensure that these devices receive thorough examination and regulation, but the government will have to take proactive steps to halt potential hackers. We anticipate greater defense activity as internet of things protocols evolve. As with all emerging technologies, it’s a race to stay ahead of the cybersecurity curve.