New Legislation Addresses Growing IoT Security Threats

New Legislation Addresses Growing IoT Security Threats

Cybersecurity has come into the forefront with the recent SolarWinds hack in which U.S. government agencies and leading corporations were subject to a hyper-sophisticated cyberattack. The SolarWinds hack is being regarded as a massive act of espionage, stealing data and establishing unauthorized access of information technology.

Every IoT device represents an attack surface that can be an exploit point for hackers to access private data. A Comcast report found that the average household is hit with 104 threats every month. With 44 billion IoT endpoints today (expected to triple by 2025), hackers have a growing number of attack options to insert malware – and they can also employ distributed denial of service (DDoS) attacks to devastating impact. Ransomware attacks are growing rapidly, with a 3Q20 study from Check Point Research reporting a 50% increase in the daily average number of ransomware attacks compared with the first half of the year.

Criminals using Covid-19 to exploit loopholes

The recently published Nokia Threat Intelligence Report 2020 found that IoT devices are now responsible for 33% of all infections observed in mobile networks, double the percentage in 2019. According to Nokia, there are new attacks disguised as contact tracing apps, or as a “Coronavirus Map” application that mimics the legitimate Johns Hopkins Covid-19 map, and these are aimed at stealing sensitive information from users as IoT security threats. 

The challenges also extend to public infrastructure. Recently an attacker broke into the Florida city of Oldsmar's water treatment system on February 5 and temporarily set the amount of lye applied to drinking water to toxic levels before an operator discovered the breach and corrected the settings. Officials said systemic redundancies would have triggered alarms had the malicious settings not been detected, but the attack does raise concerns about the vulnerability of municipal and public infrastructure as well.

IoT Cybersecurity Improvement Act becomes law

There has been growing concern about the need for regulation for IoT devices, and finally the U.S. Federal Government is taking action. On December 4^th 2020, the IoT Cybersecurity Improvement Act was officially signed into law. This is an important regulatory step to address the supply chain risk to the federal government stemming from insecure IoT devices. The stipulations of the law apply currently to IoT devices purchased with government money, that they must meet minimum security standards. The implications are far broader, and as manufacturers make their products compliant with standards, this will benefit consumers and businesses as well. The Act establishes light-touch, minimum security requirements for procurement of connected devices by the government including:

• The bill requires the National Institute of Standards and Technology (NIST) to develop and publish standards and guidelines for the federal government on the appropriate use and management of IoT devices that are owned or controlled and are connected to agency IT systems. These standards will include minimum information security requirements for managing device related cybersecurity risks and IoT security threats. 
• The Office of Management and Budget (OMB) is required to review agency information security policies and principles to ensure they are based on – and compliant with - NIST standards and guidelines.
• NIST and OMB will review and revise these standards, guidelines and policies every five years.
• NIST will develop and publish guidelines for agency, contractor, and subcontractor communications regarding security vulnerabilities, and the OMB will develop and oversee policies related to these guidelines.
• Agencies will be prohibited from buying or using an IoT device determined not to meet the standards and guidelines established by NIST and OMB. Contractors that provide IoT devices to the U.S. government will need to adopt coordinated vulnerability disclosure policies as well to mitigate these IoT security threats. 

NIST is already sharing a draft of its cybersecurity guidance. With the rise of 5G there will be even more devices that are always connected, and so will always be under threat of cybersecurity attack. With the IoT Cybersecurity Improvement Act requiring IoT devices used by US government agencies to meet a security guideline set by NIST, this will force manufacturers to take security into consideration when bringing new devices to market. Very often, manufacturers cut corners on security to reduce costs and speed time to market, and with the increasing diversity of capabilities and price points in IoT devices, the legislation should help to reduce some of the attack surfaces.

Momenta encompasses leading Strategic Advisory, Talent, and Ventures practices with over 200 IoT leadership placements, 125 industry clients and 40+ young IoT disruptors in our portfolio.  Schedule  a free consultation to learn more about our Digital Industry practice and services.