New IoT security regulations: what you need to know
(written with Lena Fuks)
Over the past few years, the Internet of Things (IoT) market has been experiencing explosive growth. According to Gartner, there will be 25 billion connected devices by 2021. Statista research suggests the total installed base of smart devices, such as smart TVs, smart locks, IP cameras, home assistants and their associated services, in homes around the world, will reach 75 billion units by the end of 2025, a five-fold increase in ten years. This rise in the number of IoT devices dramatically increases potential vector points for cyberattacks and creates a massive security gap.
The challenge we all face is that these devices have weak or no security controls and represent the fastest-growing attack landscape for organizations all over the world, with attacks up 300% in 2019 alone. Cybercriminals exploit multiple vulnerabilities in smart devices and often use them to get access to entire networks. To strengthen the security of connected products, governments around the world are continuously working on the development of new legislation.
Industry, in general, is feeling the global push for robust IoT security standards. Currently, the UK and Australia are world leaders when it comes to IoT security, with both nations already enacting voluntary standards for consumer IoT devices. In January 2020, in the USA, both California and Oregon introduced new legislation requiring “reasonable security features” to be added to IoT devices.
Regulating IoT is challenging for everyone involved – authorities, manufacturers, and organizations. The goal is to further develop legislation that effectively protects consumers, can be implemented by industry, and supports the long-term growth of the IoT market. Since we published our previous blog post on the state of IoT regulation six months ago, there has been a bunch of interesting developments worth exploring.
California’s IoT security law
In September 2019, California Governor Jerry Brown signed into law a new bill aimed at regulating the security of IoT devices, which took effect on January 1, 2020. California’s IoT law establishes new security requirements for technologies of the Internet of Things and is supposed to better address the risks that increased levels of connectivity bring into the workplace. This is the first IoT-specific security law in the United States and, simply put, it requires all IoT devices sold in California to be equipped with reasonable security measures.
The document defines a connected device as “any device, or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.” This definition was criticized by many as “problematic” since connected devices can include anything from computers and printers to thermostats and employees’ personal fitness trackers.
The law requires IoT device manufacturers to equip each connected device “with a reasonable security feature or features” that are 1) appropriate to the nature and function of the device; 2) appropriate to the information the device may collect, contain or transmit; and 3) designed to protect both the device and any information it contains from unauthorized access, destruction, use, modification, or disclosure.
Such a broad definition of a “reasonable security feature” can make it difficult for organizations to comply with new requirements. California’s IoT law is a great first step to better securing IoT devices, but it ultimately lacks specific instructions that the industry craves.
NIST IoT security publications
Since releasing its first IoT security publication, NIST, the U.S. National Institute of Standards and Technology, the federal laboratory that develops standards for new technology, was working on new assets in the IoT series. Just recently, in January 2020, the NIST published its second draft report “Recommendations for IoT Device Manufacturers: Foundational Activities and Core Device Cybersecurity Capability Baseline,” which replaced the initial draft “Core Cybersecurity Feature Baseline for Securable IoT Devices.” Both publications build upon NIST’s “Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks,” published in June, 2019.
The new document contains baseline cybersecurity features IoT manufacturers can voluntarily implement in their devices. While not a set of rules for them to follow, the NIST publications provide valuable guidance intended to promote the best practices for mitigating IoT security risks. Comments from the public for the new draft are accepted until February 7, 2020.
The UK’s new IoT cybersecurity law
In January 2020, the UK government announced it is going to introduce new mandatory requirements for IoT device manufacturers in an effort to improve consumer data security. The aim is to move the responsibility away from consumers to secure their own devices by ensuring strong cybersecurity is built into these products by design.
According to the proposed law, all consumer smart devices sold in the UK should adhere to a basic level of security. This includes three main requirements: passwords for all connected devices must be unique, manufacturers must provide a public point of contact to report vulnerabilities, and a minimum period of security updates must be specified when sold.
This is only the beginning
Researchers continue to find basic security issues in IoT devices that are on the market – from factory-set default passwords to disturbing privacy issues. IoT devices are more vulnerable to cyberattacks than traditional tech because they often lack the processing power needed to run even basic security software.
Even with these new regulations in place, security will continue to be the number one concern for any business deploying or extending IoT devices on the network. With the basic level of security mandated in the regulations, IoT devices will probably continue to be easy recruits for botnets and other ever-growing threats.
Furthermore, although a step in the right direction, the new regulations don’t seem to address other important IoT security issues, such as the bombardment the devices suffer from unsolicited traffic from web crawlers and other bots, which reduces battery life, consumes limited data plans, and creates bill contention.
For the most part, it appears that the new regulations are coming from a good place. Governments are stepping in to protect us from new IoT-related vulnerabilities. But, requiring basic security on individual IoT devices may be a misguided approach. More needs to be done by network operators, who have the ability to implement more sophisticated cybersecurity at the network level and solutions that go beyond the performance of individual devices to address the Internet of Things in a more holistic and comprehensive way.