DEVICES FROM THE INTERNET OF THINGS world seemed different from other network-addressable electronics early on. But with cybersecurity concerns on the rise, regulators are catching up, treating IoT devices like any other endpoint.
The IoT Cybersecurity Improvement Act of 2020 is one such effort. The bill requires the National Institute of Standards and Technology (NIST) and the Office of Management and Budget to take specified steps to increase cybersecurity for IoT devices. In response, NIST issued guidance on IoT security and created a risk management framework.
Across the pond, the EU introduced a cybersecurity standard for consumer IoT products in June 2020, and the GSM Association (GSMA), an industry organization representing mobile network operators worldwide, issued IoT Security Guidelines. Those include 85 detailed recommendations for the secure design, development, and deployment of IoT services, with an emphasis on security testing of networked cameras. “We believe this is an important first step,” says Dima Feldman, vice president of product management and marketing at Sony Semiconductor Israel.
As a rule, however, “Most laws applicable to cybersecurity generally would also overlap on IoT,” says Mark Kirstein, vice president of customer service for Cosant Cyber Security in Tempe, Ariz. He mentions HIPAA regulations as an example, since hospitals now use many IoT devices, and many touch the personal health information of patients.
So far, emerging regulations related to IoT security are fairly simple to implement, says Feldman, citing examples such as all devices should have unique passwords and use standard encryption techniques.
Looking forward, though, he foresees more restrictive regulations and certifications coming. “As IoT becomes a part of our life, it will control smart cities, the electrical grid, and other infrastructure, and it must be protected from sophisticated and even ‘government level’ hackers.” Future compliance guidelines will demand that devices deployed in large volumes, or as part of critical systems, undergo mandatory penetration testing, Feldman adds.
How much impact new rules will make is hard to estimate. While end users tend to ignore regulations of all kinds, they’re even more likely to ignore IoT regulations. For instance, Feldman notes, users often disregard physical security guidelines for IoT devices. “Also, there are no requirements for service-level security and monitoring the state of the device.”
That, along with the weak default security protections on many IoT devices, has led to unwelcome news coverage of breaches, such as DDoS attacks launched from IoT cameras back in 2017. “There is practically no regulation to make sure that future IoT devices will not issue similar or more sophisticated attacks in the future,” says Feldman.
Some companies see these gaps as opportunity, he adds, like Palo Alto Networks getting FedRAMP authorization for IoT. MSPs and systems integrators, meanwhile, have plenty of work ahead, Kirstein says. IP cameras were some of the earliest popular IoT devices, so the number of legacy cameras in use that need upgrading or replacing may create a wave of MSP service requests. “Legacy devices need to be isolated, since they often can’t be secured at the endpoint.” Different customers will need different levels of network separation or configuration.
Keeping up with new compliance guidelines for IoT will be tricky, since the low-cost, low-margin devices don’t get much post-sales support from small vendors in the space. In addition, IoT is becoming ubiquitous. Besides the hospital use cases mentioned earlier, office buildings are adding IoT to conference rooms, along with building controls such as HVAC and elevators. Kirstein adds, “IoT for operation in manufacturing is often overlooked as critical infrastructure.”
Kirstein recommends using U.K.-based IoTSecurityFoundation.org as a resource. The NIST regulations from the Cybersecurity Improvement Act will roll out slowly, with plenty of attention with each iteration.
In the meantime, Kirstein advises monitoring IoT devices for compliance purposes with the same rigor you apply to other network devices, but remember that device resources will limit security functions, and “patching and upgrading may not be viable.”