Bipartisan bill jump-starts badly needed security for Internet of Things

Careful legislation needed to guide protection of growing number of hackable devices

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Cyber­se­cu­ri­ty experts applaud­ed the intro­duc­tion of a new Sen­ate bill in July that would man­date min­i­mum secu­ri­ty stan­dards for the grow­ing num­ber of inter­net-con­nect­ed devices and sen­sors used by the fed­er­al government.

The bipar­ti­san bill, called the Inter­net of Things (IoT) Cyber­se­cu­ri­ty Improve­ment Act of 2017, is spon­sored by the co-chairs of the Sen­ate Cyber­se­cu­ri­ty Cau­cus, Sen. Mark Warn­er, D-Va., and Sen. Cory Gard­ner, R-Colo., and Sens. Ron Wyden, D-Ore., and Steve Daines, R-Mont.

The bill would require sup­pli­ers sell­ing inter­net-con­nect­ed equip­ment to the gov­ern­ment to ensure their gad­gets are patch­able and con­form to secu­ri­ty stan­dards. Sup­pli­ers also would be pro­hib­it­ed from sell­ing devices with unchange­able pass­words or known secu­ri­ty vulnerabilities.

Relat­ed video: As the Inter­net of Things expands, so do the risks

Craig Young, Trip­wire secu­ri­ty researcher

Craig Young, a secu­ri­ty researcher for Ore­gon-based Trip­wire, says the pro­posed bill is “a great step in the right direc­tion.” He warns, how­ev­er, to “pro­ceed with cau­tion and ensure all leg­is­la­tion is writ­ten with an under­stand­ing of the tech­nol­o­gy and the poten­tial for long-term consequences.”

Young, who has done exten­sive smart-home research, says he has long advo­cat­ed that gov­ern­ments should step in and pro­hib­it the sale of inter­net-con­nect­ed devices with hard­cod­ed or default pass­words. Leg­is­la­tors, he says, should con­sid­er “going a few steps fur­ther by man­dat­ing par­tic­i­pa­tion in an impar­tial and trans­par­ent bug boun­ty program.”

Rod Schultz, the chief prod­uct offi­cer of San Fran­cis­co-based Rubi­con Labs, says “the spir­it” of the pro­posed Sen­ate bill “is an indi­ca­tor” that Con­gress has its sights set on the cor­rect tar­gets. On the oth­er hand, he says, the enforce­ment of this type of leg­is­la­tion will cre­ate many new challenges.

Rod Schultz, Rubi­con Labs chief prod­uct officer

Secu­ri­ty needs rise as breach­es increase

The fre­quen­cy of IoT secu­ri­ty breach­es is rapid­ly increas­ing, he says, and “IoT secu­ri­ty account­abil­i­ty will become more and more crit­i­cal to the U.S. econ­o­my and infrastructure.”

Schultz says it’s far too easy to release dig­i­tal prod­ucts with secu­ri­ty vul­ner­a­bil­i­ties, because “there is no time to test and fix.” The incen­tive to release prod­ucts quick­ly “is dri­ven by time to mar­ket and prof­it require­ments,” he says.

The secu­ri­ty fail­ures of many com­pro­mised IoT devices “can rapid­ly esca­late in scale and reach,” and have a big impact on crit­i­cal infra­struc­ture, Schultz says. “If IoT secu­ri­ty is not addressed appro­pri­ate­ly by ven­dors, it should not come as a sur­prise that leg­is­la­tion is pro­posed to fill that void.”

The pre­vi­ous mod­el for IoT devices, says Mark Hearn, the IoT secu­ri­ty direc­tor at the glob­al cyber­se­cu­ri­ty com­pa­ny Ird­eto, “was very often build, ship and forget.

Mark Hearn, Ird­eto direc­tor of IoT security

Hard­wire secu­ri­ty dur­ing development

How­ev­er, this approach to secu­ri­ty is no longer accept­able,” he says. “An IoT secu­ri­ty strategy—including pro­tec­tion, updates and upgrades—is cru­cial for all man­u­fac­tur­ers. If the only way to ensure this is leg­is­la­tion, then this is a sen­si­ble move. How­ev­er, the IoT mar­ket is a glob­al one, and there is a need for a stan­dard­ized approach for the mar­ket as a whole.”

The recent Glob­al Con­sumer IoT Secu­ri­ty Sur­vey by Ird­eto, which is based in the Nether­lands and has U.S. offices, found that 90 per­cent of con­sumers polled from the Unit­ed States and five oth­er coun­tries think it is impor­tant that a con­nect­ed device has secu­ri­ty built into it. And 77 per­cent of those polled, accord­ing to Hearn, said man­u­fac­tur­ers have a respon­si­bil­i­ty to keep the device secure to pre­vent hacking.

Ray Rothrock, chair­man and CEO of RedSeal, a Sil­i­con Val­ley cyber­se­cu­ri­ty com­pa­ny, says pro­jec­tions show more than 75 bil­lion IoT devices by 2025.

Ray Rothrock, Red­Seal chair­man and CEO

Every­thing from sen­sors on gen­er­a­tors to sen­sors in your toast­er and refrig­er­a­tor will be send­ing data over the inter­net for var­i­ous rea­sons, most like­ly to get more pre­ci­sion and effi­ca­cy out of these devices,” Rothrock says. “Smart­phones have about 12 sen­sors. A gen­er­a­tor from Gen­er­al Elec­tric has over 3,000 sen­sors, and all 3,000 send data out that affects how the gen­er­a­tor is performing.”

Con­tin­u­ous, auto­mat­ed mon­i­tor­ing needed

Cur­rent­ly, there is no secu­ri­ty solu­tion for the risk of hav­ing IoT devices con­nect­ed to net­works, he says. With no solu­tion and such tremen­dous growth expect­ed, “there either has to be a total ban on IoT devices, which, for many rea­sons of mis­sion, will prob­a­bly nev­er hap­pen, or agen­cies must imple­ment good old-fash­ioned net­work secu­ri­ty best practices.”

Until the pub­lic demands or the gov­ern­ment reg­u­lates that IoT devices be deliv­ered with the abil­i­ty to apply secu­ri­ty updates—and not come with hard-cod­ed user names and pass­words that can­not be changed—“identification and iso­la­tion of these devices is the only recourse,” Rothrock says. “Because net­works have grown so vast with tech­nolo­gies like cloud and SDN (soft­ware-defined net­work­ing), along with lega­cy net­works that have built up over decades, it’s impos­si­ble for humans to con­tin­u­al­ly val­i­date that net­work seg­men­ta­tion poli­cies are actu­al­ly in place as intend­ed or required. We’ll need automa­tion to do the check­ing for us on a con­tin­u­ous basis.”

Ven­dors will step up to meet rules

Rothrock says the new Sen­ate bill is very sim­i­lar to the U.S. gov­ern­ment require­ment that vul­ner­a­bil­i­ty scan­ner ven­dors adopt the Com­mon Vul­ner­a­bil­i­ties and Expo­sures (CVE) sys­tem of clas­si­fy­ing and rank­ing vul­ner­a­bil­i­ties. The gov­ern­ment said it would only buy vul­ner­a­bil­i­ty scan­ners from ven­dors using the CVE rank­ing sys­tem, so every ven­dor now uses the sys­tem, allow­ing orga­ni­za­tions to more eas­i­ly under­stand the risks asso­ci­at­ed with iden­ti­fied vul­ner­a­bil­i­ties and talk in a com­mon lex­i­con,” he says.

The Sil­i­con Val­ley CEO expects a sim­i­lar result if the Sen­ate bill is passed, because ven­dors will be attract­ed to the fed­er­al government’s large budget.

If the gov­ern­ment wants to buy 1,000 refrig­er­a­tors for their break rooms that are more effi­cient and pre­cise because of built in IoT sen­sors, only man­u­fac­tur­ers that meet the cri­te­ria will be con­sid­ered,” Rothrock says. “The result is that man­u­fac­tur­ers are going to build refrig­er­a­tors that meet the require­ments for the gov­ern­ment and for con­sumers, because they will not want to invest in sep­a­rate man­u­fac­tur­ing lines. The impact to the inter­net will be a reduced risk of anoth­er Mirai Bot­net DDOS attack because of unse­cured unpatched IoT devices. This will not total­ly get rid of IoT risk, but may bring it down to an accept­able lev­el of risk.”

The IoT mar­ket is pro­ject­ed to be worth more than $1 bil­lion annu­al­ly begin­ning this year, Rothrock says. “The next secu­ri­ty com­pa­ny that can secure IoT devices is the one to invest in.”

More sto­ries relat­ed to secu­ri­ty of the Inter­net of Things:
As use of IoT devices explodes, detect­ing vul­ner­a­bil­i­ties becomes nascent industry
Secu­ri­ty of the Inter­net of Things takes on new urgency
Sur­vey finds most con­sumers think secu­ri­ty should be built into IoT devices


Posted in Featured Story