Security experts are lauding the recent passing by the US Senate on a ground-breaking internet-of-things (IoT) security regulatory law.
They praised the newly approved IoT law as a positive step for insecure connected US Federal devices.
The IoT Cyber-Security Improvement Act, which was led in US bipartisan sponsorship by Reps. Will Hurd (R-Texas) & Robin Kelly (D-Ill.), would require the federal procurement & use of IoT devices to conform to basic security requirements.
This act was unanimously passed by the US House of Representatives in Sept., & by the US Senate earlier this week; the next step is for it to be sent to the President to be signed into law.
“Through the Act, the Federal Govt. can lead by example in implementing basic IoT security standards & best practices for devices it buys & manages, & drive contractors’ adoption of standards-based coordinated vulnerability disclosure processes,” according to Harley Geiger, Director of Public Policy at Rapid7, in a recent post.
The IoT Cyber-Security Improvement Act
The IoT Cyber-Security Improvement Act has several different parts. 1st, it mandates that NIST must issue standards-based guidelines for the minimum security of IoT devices that are owned by the Federal Govt. The Office of Management & Budget (OMB) must also implement requirements for federal civilian agencies to have information-security policies that are consistent with these NIST guidelines.
Under the law, Federal Agencies must also implement a vulnerability-disclosure policy for IoT devices, & they cannot procure devices that don’t meet the security guidelines.
NIST has been developing “considerations” for manufacturer-based IoT security measures, which they have recommended since 2019. NIST’s EU counterpart, the European Union Agency for Network & Information Security (ENISA), has already published baseline security recommendations for IoT devices.
Rapid7’s Geiger stated that he hopes the bill signals strengthened commitment from the US Federal Govt. to work on IoT security.
“While we support strong IoT security, we believe it is best implemented in a co-ordinated manner, avoiding a patchwork between US states or internationally,” he observed. “This will take sustained engagement from both the public & private sectors, but the passage of the IoT Cyber-Security Improvement Act & the lessons to be learned in its implementation will be invaluable to this process.”
IoT Regulatory Efforts
Regulatory efforts worldwide continue to intensify, including a California Senate Bill 327 (SB-327), which requires “reasonable security feature or features that are appropriate to the nature & function of the device.” SB-327 was 1st proposed in 2018 & became effective in Jan. (although it did draw backlash from the security community for not going far enough).
Meanwhile, in 2019 the UK Govt. announced a mandate promising new requirements for IoT manufacturers. Those include improvements around unique device passwords & policies around security updates.
“Fixing IoT security requires a concerted effort across the supply chain, not on fixing a singular technology or vulnerability. Establishing better standards & accountability for securing devices & their software is a positive development,” Jack Mannino, CEO at nVisium, observed.
“Many devices have remained plagued by vulnerabilities for years, & if we want to do a better job in the future, we have to start now.”
Dirk Schrader, Global VP at New Net Technologies (NNT), explained that security measures like the IoT Cyber-Security Improvement Act “improves the security posture overall.”
“Having basic cyber-security requirements in place that vendors need to adhere to for any kind of internet-connected device is a good move,” Schrader explained.
“It will be interesting to see how this is enforced & monitored, as we have already a few of these requirements out there, like the HIPAA security rule.”