The U.S. technology and manufacturing industries are in serious need of increased rigor for Internet of Things (IoT) device security. Thankfully, the U.S. Senate is starting to pay attention in the form of the recently introduced Internet of Things Cybersecurity Improvement Act. These proposed regulations could help reduce poor security practices and also influence manufacturers to design in proper security from the start.
The legislation targets only vendors to the federal government. That’s a great place to start, as we already know from our recent 2017 Thales Data Threat Report, Federal Edition that IoT adoption within the federal government is strong. The report found that 75 percent of federal agencies have begun to use IoT technology. (In a related matter, the results also revealed that 65 percent of federal agencies have experienced a data breach at some point.)
Beyond the federal government, IoT touches consumers who use wearable electronics, families buying state-of-the art appliances, businesses using internet-connected equipment, cities installing connected parking meters, and many others. Manufacturers need to provide trustworthy assurance that the devices the federal government, local jurisdictions, consumers and businesses purchase are authentic and run only software that is legitimately loaded by the manufacturer. And any device that runs software needs the ability to be updated in case vulnerabilities or other security issues are found.
Some IoT devices don’t provide a way to update software, and many more don’t offer a secure mechanism to do so. As an example, code signing with properly protected private signing keys helps ensure the authenticity and integrity of those updates, which is important to prevent the introduction of malware in the software-update process.
Rigorous testing of devices is also an important step in ensuring proper security. In today’s environment, leading organizations are increasingly inviting the public to test their defenses, and rewarding those that find issues accordingly. This approach makes sense as threats become increasingly sophisticated, and the number and type of devices increase rapidly.
Additionally, there are many industry groups, such as the Industrial Internet Consortium, that are producing robust frameworks for IoT security. That’s one of the reasons why we joined the IIC. The federal government can look to these expert groups to contribute to this and other efforts surrounding federal IoT regulations. While the IoT is still nascent, developing strong standards for secure and interoperable IoT ecosystems now will be key in securing the IoT of the future.