New IoT security bill passes the House with bipartisan support
By Max BurkhalterSeptember 22, 2020
The internet of things has become near-ubiquitous in businesses and households across the U.S., raising questions about the security of devices that possess this functionality. IoT products that are able to connect to the internet may offer a new level of convenience and efficiency, but they also come with a deluge of cyber security concerns.
For one, there are currently no industry standards for this branch of technology, and many end users are unaware of how the devices can be leveraged to steal personal information. Factory settings are another key issue — using the Shodan search engine, hackers can collect detailed information on active, internet-connected devices. Once identified, malicious actors can use default login credentials to gain access and control over unsecured endpoints.
Bipartisan IoT bill seeks to enhance federal network security
Back in March 2018, Lt. Gen. Robert Ashley, director of the Defense Intelligence Agency, spoke with the Senate Armed Services Committee about emerging cyber risks. According to Ashely, one of the biggest threats to national security is the exploitation of "our weakest technology components: mobile devices and the internet of things." Alongside brute-force attacks, these components are vulnerable to social engineering operations, and these intrusions can lead to data leaks and the theft of intellectual property.
To offset these risks, a group of bipartisan lawmakers began drafting a new IoT security bill that would set minimum standards for any devices connected to federal networks. This bill, named The IoT Cybersecurity Improvement Act, gained support from both sides of the aisle and was officially passed by the House on September 14, 2020. The bill is currently waiting for a Senate floor vote before it can make its way to the president's desk. Once passed, the bill will enact the following provisions:
- Creating best practices for IoT device security: The National Institute of Standards and Technology plays a key role in protecting U.S. infrastructure and citizens from cybersecurity threats. If passed, the IoT security bill would require the NIST to create a set of best practices for any device with internet connectivity that is used on federal networks. Once these standards are set, the Office of Management and Budget will be responsible for creating guiding resources to help federal agencies meet or exceed the NIST's recommendations.
- Streamlining vulnerability disclosures: Every piece of hardware and software must be continually patched to prevent hackers from leveraging code-level bugs, outdated firmware and zero-day exploits. The IoT Cybersecurity Improvement Act would require the Department of Homeland Security to publish guidance on "coordinated vulnerability disclosures" related to agency devices. This will allow greater collaboration between the NIST, federal agencies, third-party vendors and other external partners involved in managing or patching IoT devices.
- Limiting IoT devices that can be purchased by the federal government: The IoT security bill also limits the internet-connected devices that the federal government can purchase and deploy. Any device that does not meet the NIST's minimum security standards should be prevented from connecting to federal networks. Of course, this will require researchers to perform a comprehensive assessment of all the technologies currently in use. Those that fall short of the NIST's guidelines will likely be replaced with more secure alternatives.
While the IoT security bill is aimed at protecting federal networks, many are hopeful that this legislation marks a turning point for consumers and businesses as well. Once the NIST has created clear standards for the secure development, identity management and patching of internet-connected devices, IoT manufacturers may start incorporating these guidelines into their products.
Built-in security standards for commercial IoT devices
As it stands, consumer and business IoT are highly vulnerable to exploitation due to the lack of unified standards. With an estimated 20.8 billion connected devices set to be in use by the end of 2020, according to research from Gartner, there's a growing concern that technological innovation will outpace cybersecurity protections. This issue is especially stark for enterprises that manage large IoT ecosystems, as it can be difficult to bring every device under one, simplified security framework. As Kaspersky Labs explained, businesses should take the following steps to secure IoT devices while waiting for NIST to set standards on commercial products:
- Closely monitor all mobile devices, including smartphones, tablets and wearable IoT
- Set up automated antivirus updates and patching schedules
- Ensure all IoT devices have strong login credentials
- Integrate end-to-end encryption to protect data in transit
- Disable any unused features on devices to prevent remote access attacks
Alongside these IoT management tips, it's also important for businesses to have reliable networking equipment that can keep data flowing when it matters most. That's why Perle offers industrial-grade connectivity tools that can help companies create a secure IoT environment. Our LTE Routers can help minimize downtime and bring distributed sites online faster.
To learn more, explore our customers' success stories.