The IoT cybersecurity improvement act: What does it mean, and how do we get ready for it?
Security concerns have been dominating news about IoT as of late, and with good reason. A recent survey shows that nearly half of U.S. firms using an IoT network have been hit by a security breach. With this kind of frequency, it’s no wonder the IoT Cybersecurity Improvement Act of 2017 was proposed.
Although designed primarily for vendors seeking government contracts, the bill has the potential to set key standards for the future of industry-wide IoT development, and can greatly influence the overall progress of IoT, says Amir Haleem, CEO of Helium.
The goal of the IoT Cybersecurity Improvement Act of 2017 is to “provide minimal cybersecurity operational standards for Internet-connected devices purchased by Federal agencies, and for other purposes.”
Under the proposed legislation, vendors will need to meet a number of requirements before they can contract with government agencies, including:
- Devices must be free from any known vulnerabilities and defects
- Devices must be able to receive regular software updates
- Devices must not include any fixed or hard-coded credentials used for remote administration, the delivery of updates, or communication
Considering the safety and economic implications of privately owned IoT networks, however, it is entirely likely that regulations such as these could be expanded beyond government contracts. Ted Koppel has warned that an IoT attack on the U.S. power grid could cause a massive outage, and when researchers in Israel simulated an attack on “smart lightbulbs” to control lights in a city block of offices, it showed that this is not mere alarmism.
For companies, such attacks can pose existential threats–DNS provider Dyn experienced a DDoS attack that may have cost 8% of its business. So while we certainly can expect more regulation and industry standards, organisations should take their own proactive steps to secure their systems.
Steps every company should take
It should be clear that the standard approaches to securing a network–patches, firewalls, spyware detection, educating employees and so forth–are not going to be sufficient to stem IoT threats. The combination of software infrastructure and remotely deployed devices adds new dimensions to security that require a new way of thinking about it.
However, there are a few steps that companies should take in order to ensure that they can not only prevent attacks, but also comply with up-and-coming legislation:
- Encrypt the keys on each individual device for more control over the network, as each individual device can be monitored and managed (as opposed to a gateway that controls a specific area/region)
- Use only derivatives of encryption keys for specific functions
- Rotate keys regularly so that even if a device is compromised, it can be used by a hacker for only a short timeframe
- Centralise visibility and control over the system so that you can quarantine and disable suspicious devices directly
- Leverage hardware-based security, or protection that is produced by a physical device rather than software that is installed on a computer system, a tactic which analyst Patrick Moorhead has asserted is more secure than software because it cannot be altered, and may prevent malware from infiltrating the operating system and virtualisation layer
According to IDC, IoT investment is expected to total $1.4 trillion (€1.17 trillion) by 2021. IoT systems have already taken around twenty-five billion devices online , and according to a Hewlett Packard study, 70 to 80% may lack encryption and sufficient password protection.
These are prime targets for some of the worst kind of cyber attacks imaginable, and companies need to take action now to ensure that they’re protected. However, with the right approach, companies can build IoT networks that are highly secure, ensuring that the tremendous economic potential offered by IoT comes to fruition.
The author of this blog is Amir Haleem, CEO of Helium