Cybersecurity Improvement Act signed into law inching IoT toward more robust security

When the Trump administration signed off on the bipartisan-backed Internet of Things Cybersecurity Improvement Act of 2020 on December 4, despite the new law applying only to federal government agencies, the Act figures to be a solid start in terms of IoT (Internet of Things) use and the management of vulnerabilities across devices used in specific industries like the U.S. government and the eventual trickle down to the private sector. Once implemented, the bill will require that device manufacturers or Original Equipment Manufacturers (OEMs) selling to government agencies demonstrate compliance with security guidelines before being considered for government contracts; the government is taking the approach that the exponential growth of connected devices connecting to government networks presents a potential ‘back door’ and access to confidential information.

The Future of Cybersecurity 

The Cybersecurity Improvement Act and other guidelines for cybersecurity, device identity and encryption provide an additional compliance layer that forces OEMs in other industries like medical devices, automotive and critical infrastructure, to design secure products to support vulnerability reduction during operation. Any initiative aimed at improving cybersecurity for IoT devices (independent of industry), helps to address a collective market challenge, the current state of IoT security and a deeper perspective focused on encryption and authentication best practices.

Consumer IoT devices are disparate and, in some cases, less expensive to develop, so building in robust security and a cost-effective way to manage vulnerabilities is challenging for manufacturers focused on overall cost/benefit analysis. However, IoT device makers can reduce exploit risk in the consumer space if products are developed in alignment with NIST guidelines. Adopting just a few basic guidelines such as secure development, unique identities and code signing will net a positive impact and deliver more robust consumer products.

Hackers are increasingly taking advantage of weaknesses in IoT security, maliciously taking control of smart home devices for DDoS attacks and changing the functionality of connected medical devices. An improved security posture requires a robust security architecture inclusive to all IoT systems. Guidelines provided by NIST and other standards groups will continue to make an impact on how we design security into IoT devices while providing a means and method to manage IoT device data authentication and encryption over time. Crypto agility is becoming more important as IoT devices begin to outlive the encryption algorithms that are used to secure connections, so in-field device updatability is a must.

What The Act Does

The Cybersecurity Improvement Act offers guidelines specific to the use of IoT and the management of security vulnerabilities. This is a great start, offering a foundation to address device identity management and how to detect and remediate vulnerabilities.

Multiple industries have taken a stance to embed cybersecurity into their IoT products and manufacturing systems. For example, the FDA introduced guidelines specific to medical devices, the SAE has connected vehicle security recommendations and the IEC implemented similar guidelines for industrial control systems. The intent of these guidelines is to protect the government from additional threats that are likely to increase as the number of IoT devices and attack vectors increases over time.

COVID has drastically altered the way we do business, reinforcing our reliance on connected technology and tools to achieve our virtual way of work. IoT security is a macro problem that needs micro guidelines to solve unique IoT security challenges in specific industries and use cases. The Cybersecurity Improvement Act is a step forward in achieving broader IoT protection and security.