US Congress Passes IoT Cybersecurity Bill
What does this legistration do?
It's been a long time coming, but earlier last week Congress passed the IoT Cybersecurity Improvement Act of 2020. This legislation direct the Commerce Department’s National Institute of Standards and Technology (NIST) to establish baseline security requirements for any IoT manufacturer that wants to do business with the federal government, in areas such as patching or identity management. The bill seeks to leverage the purchasing power of the federal government to push IoT manufacturers who wish to provide federal agencies with IoT devices to meet baseline security standards for those contracts. The hope is that through a baseline policy, the wider consumer market will adopt these standard security requirements much like the EnergyStar legislation impacted energy efficiency standards.
Why did it need to be addressed?
The rise of IoT devices in consumer & enterprise settings has more than double between 2018 (7 Billion) & 2019 (26.66 Billion). Every second 127 new IoT devices are connected to the web. As more and more equipment becomes connected to the internet, the attack vectors will continue to grow exponentially. Moving the cybersecurity standards for these devices will set the pace for shoring up risks that have yet to be a priority for manufacturers and industries who heavily utilize IoT.
How Can You Safeguard Against IoT Threat Actors?
There are various methods at your disposal to assess and mitigate cybersecurity attacks through IoT devices. Consider the following steps to address you security posture:
Account for all data on the IoT system
All information that is captured, stored or shipped on the IoT device should be mapped and secured accordingly. This could include configurating default credentials or ports associated with the communication, admin access controls to manage the device and other areas where the device could contain confidential information. Understanding what security protocols data is secured with at Rest, In Transit & In Use states are key to accounting for all information cycles of your IoT devices.
Maintain a Security First Mindset
Each device that is connected to the network must maintain strict security configurations in order to reduce the vulnerability of unauthorized access to the IoT system. Strong user & password combinations are a must and other safeguards such as multi-factor authentication and connection encryption are a best practice. At RLCS, we recommend these steps to maintain a security first approach to securing an IoT system:
- Physical or Virtual Network Segmentation: Dedicating a separate physical network switch or a virtual switch (VLAN) configuration for ingress & egress IoT network traffic will provide a layer of security through segmentation.
- Dedicated Wireless SSID: If your IoT devices require a wireless connection to route network traffic, creating a separate SSID exclusively for those devices is another way to segment off network traffic and minimize lateral movement within your business network, if an IoT device is compromised by a threat actor.
- Cryptographic Protocols for Transmission: Some IoT devices (and we hope more in the future) support encryption protocols for data transmission. Having endpoint to endpoint encryption is a recommended way to limit exposure to botnets, Man-in-the-Middle attacks & general data snooping. a VPN can be configured in many different was but we recommend utilizing an OpenVPN standardization for flexible implementation.
Assume the Worst Case
No cybersecurity policy is unbreakable. Manage your IoT systems with the assumption you will have to continuingly finetune your security approach and take into account new tactics and vulnerabilities. This could contain or reduce the impacts of a successful cyber attack.
Physical Security is Still Cybersecurity
Unrestricted physical access to your IoT device is still a cybersecurity vulnerability, regardless of the internal security measures put in place. If an IoT device itself has no tampering safeguards or physical access controls, malicious hardware or software could be implanted and cause system failures or help aid the spread of malware across your entire network system.
How RLCS Can Help Secure Your Business Critical IoT Systems?
We provide our clients with in-depth cyber security threat analysis and penetration testing. This process uncovers vulneribilities to your critcial business systems and tighten your IT security measures. For more information on how we can provide an innovative solutions for your business, visit our website, check out more news & updates, or follow us on LinkedIn.