Late last year, the Internet of Things Cybersecurity Improvement Act of 2020 bill was signed into law, which intends to raise awareness and harden security for the many devices — an internet of things — controlled by the U.S. Government.
In addition to directing the National Institute of Standards and Technology (NIST) to create minimum cybersecurity standards for IoT devices, as well as day-to-day use, management and dealing with the disclosure of vulnerabilities, the law outlines protocols and best practices for agencies and organizations in the U.S. government.
And not a minute too soon.
Already in the first half of 2021 we saw various hacks and other security breaches perpetrated on gas pipelines, meat processors, chemical distribution companies, computer manufacturers, the NBA, the Steamship Authority of Massachusetts, the Washington DC Metropolitan Police Department, and others. While many remain ransomware attacks more akin to pirates of the high seas than digital warfare, more attacks are targeting government properties, which makes all those IoT devices a huge security risk.
In this guide to the Internet of Things (IoT) for government, we’ll discuss how the new bill will impact governments and organizations that run IoT devices.
Controlling the Current IoT Device Chaos
While IoT has been around for years, there’s hardly a unifying framework or standard holding things together. Internet-enabled devices range from TVs to smart speakers, wearables and appliances, and each manufacturer, if not each device, typically has a different way of doing things, particularly with regard to the data they may collect or how it behaves on a given network.
But the concern for most governments is that the explosion of IoT devices has occurred over the last decade is largely unchecked, and many may have no real insight into the devices that are connected, their capabilities and who may be communicating with them — or preparing to do so.
In the last few years, the burgeoning need for government IoT standards has led to various standards being created, such as by the Cloud Security Alliance (CSA), the IEEE Standards Association, the ioXt Alliance, the IoT Security Foundation, the Open Web Application Security Project (OWASP) and even guidance from the U.S. Department of Homeland Security.
But until now, not much progress has been made on codifying and implementing a single set of standards. The resulting patchwork has made it difficult for managers to fully get a grasp on their IoT security risk, and in one notable finding, the European Union Agency for Cybersecurity (ENISA) found that even IoT devices that are encrypted with authenticated users and proof of integrity may still be insecure.
Unfortunately, without unifying standards in place, those who make IoT devices have no responsibility as to the security or the intended use of a device, even if vulnerabilities are found or known, making many of the IoT devices out there vulnerable to exploits and other manipulation.
How the New IoT Law Can Change All This
The good news is that the Internet of Things Cybersecurity Improvement Act of 2020 intends to codify the disparate rules into one overarching policy that cannot be ignored because it’s backed by the U.S. Government. And while the bill only applies to devices that are purchased or managed by the government, any manufacturers that want to have access to the purchasing power of the U.S. Government will need to adopt the standards.
While last year’s session in Congress also saw two IoT bills introduced, both failed to muster enough votes. The new law focuses primarily on the establishment of standards, including four areas that have been in need of oversight: secure development, identity management, patching and configuration management.
Furthermore, the law also stipulates that the Department of Homeland Security and NIST will work together with cybersecurity experts to establish guidelines for reporting vulnerabilities, as well as aligning the approach with IT standards that stipulate vulnerability disclosure and handling.
Continuing IoT Device Risks
That said, the new law won’t change IoT overnight, and if there’s one takeaway, it’s that organizations need to do more to ensure that the IoT devices on their networks and under their control are managed properly without any unauthorized access or behavior.
For the most part, there remain three distinct risks for IoT devices.
The first, malware, is a big concern for the many devices in use that often belong to no one yet have access to desired networks, causing cybercriminals to increase their efforts in targeting these devices. Not only are they finding success because of the huge explosion in IoT devices in use, but also because of the largely insecure deployment of such devices, many of which are directly accessible via the internet.
Additionally, the lack of support or security updates for IoT devices means integration is haphazard at best, with many devices remaining vulnerable to common exploits that have been known for years. Combined with an almost complete lack of security protocols by manufacturers, these devices represent some of the greatest security risks for modern governments and organizations.
Another segment of risk has to do with the vulnerabilities that IoT devices represent, with some estimates putting the risk of medium or severe attacks at almost 60 percent of all IoT devices.
Minimizing Your IoT Risks
While the Internet of Things Cybersecurity Improvement Act of 2020 helps government more securely harden its networks against the risks of IoT devices, there are things that you can do today to reduce the risk of security issues with IoT devices on your networks.
The first step is to identify all the IoT devices connected to your network, including their day-to-day behavior and whether certain access or permissions may need to be altered. It’s also important to scan your network regularly for new IoT integrations and devices, as well as instituting a protocol for how new devices can be brought in.
Generally, you’ll want to bring together visibility, monitoring and security across all devices, regardless of their past behavior or intended use. Those laptops and phones may be significantly more powerful than a coffee maker or fridge, but the security risk is inherent with anything that lives on your network, and treating each device with the seriousness that they deserve is a great way to get a handle on your security risks.
For more on how you can simplify your complex IT protocols, Software AG Government Solutions is a proven partner capable of helping you turn your complex systems into a secure and manageable IT ecosystem. Register for this webinar, Government IoT, Simplified, to learn more about innovating your IoT strategy today.