Bipartisan bill jump-starts badly needed security for Internet of Things
Careful legislation needed to guide protection of growing number of hackable devices
By Gary Stoller, ThirdCertainty
Cybersecurity experts applauded the introduction of a new Senate bill in July that would mandate minimum security standards for the growing number of internet-connected devices and sensors used by the federal government.
The bipartisan bill, called the Internet of Things (IoT) Cybersecurity Improvement Act of 2017, is sponsored by the co-chairs of the Senate Cybersecurity Caucus, Sen. Mark Warner, D-Va., and Sen. Cory Gardner, R-Colo., and Sens. Ron Wyden, D-Ore., and Steve Daines, R-Mont.
The bill would require suppliers selling internet-connected equipment to the government to ensure their gadgets are patchable and conform to security standards. Suppliers also would be prohibited from selling devices with unchangeable passwords or known security vulnerabilities.
Related video: As the Internet of Things expands, so do the risks
Craig Young, a security researcher for Oregon-based Tripwire, says the proposed bill is “a great step in the right direction.” He warns, however, to “proceed with caution and ensure all legislation is written with an understanding of the technology and the potential for long-term consequences.”
Young, who has done extensive smart-home research, says he has long advocated that governments should step in and prohibit the sale of internet-connected devices with hardcoded or default passwords. Legislators, he says, should consider “going a few steps further by mandating participation in an impartial and transparent bug bounty program.”
Rod Schultz, the chief product officer of San Francisco-based Rubicon Labs, says “the spirit” of the proposed Senate bill “is an indicator” that Congress has its sights set on the correct targets. On the other hand, he says, the enforcement of this type of legislation will create many new challenges.
Security needs rise as breaches increase
The frequency of IoT security breaches is rapidly increasing, he says, and “IoT security accountability will become more and more critical to the U.S. economy and infrastructure.”
Schultz says it’s far too easy to release digital products with security vulnerabilities, because “there is no time to test and fix.” The incentive to release products quickly “is driven by time to market and profit requirements,” he says.
The security failures of many compromised IoT devices “can rapidly escalate in scale and reach,” and have a big impact on critical infrastructure, Schultz says. “If IoT security is not addressed appropriately by vendors, it should not come as a surprise that legislation is proposed to fill that void.”
The previous model for IoT devices, says Mark Hearn, the IoT security director at the global cybersecurity company Irdeto, “was very often build, ship and forget.
Hardwire security during development
“However, this approach to security is no longer acceptable,” he says. “An IoT security strategy—including protection, updates and upgrades—is crucial for all manufacturers. If the only way to ensure this is legislation, then this is a sensible move. However, the IoT market is a global one, and there is a need for a standardized approach for the market as a whole.”
The recent Global Consumer IoT Security Survey by Irdeto, which is based in the Netherlands and has U.S. offices, found that 90 percent of consumers polled from the United States and five other countries think it is important that a connected device has security built into it. And 77 percent of those polled, according to Hearn, said manufacturers have a responsibility to keep the device secure to prevent hacking.
Ray Rothrock, chairman and CEO of RedSeal, a Silicon Valley cybersecurity company, says projections show more than 75 billion IoT devices by 2025.
“Everything from sensors on generators to sensors in your toaster and refrigerator will be sending data over the internet for various reasons, most likely to get more precision and efficacy out of these devices,” Rothrock says. “Smartphones have about 12 sensors. A generator from General Electric has over 3,000 sensors, and all 3,000 send data out that affects how the generator is performing.”
Continuous, automated monitoring needed
Currently, there is no security solution for the risk of having IoT devices connected to networks, he says. With no solution and such tremendous growth expected, “there either has to be a total ban on IoT devices, which, for many reasons of mission, will probably never happen, or agencies must implement good old-fashioned network security best practices.”
Until the public demands or the government regulates that IoT devices be delivered with the ability to apply security updates—and not come with hard-coded user names and passwords that cannot be changed—“identification and isolation of these devices is the only recourse,” Rothrock says. “Because networks have grown so vast with technologies like cloud and SDN (software-defined networking), along with legacy networks that have built up over decades, it’s impossible for humans to continually validate that network segmentation policies are actually in place as intended or required. We’ll need automation to do the checking for us on a continuous basis.”
Vendors will step up to meet rules
Rothrock says the new Senate bill is very similar to the U.S. government requirement that vulnerability scanner vendors adopt the Common Vulnerabilities and Exposures (CVE) system of classifying and ranking vulnerabilities. The government said it would only buy vulnerability scanners from vendors using the CVE ranking system, so every vendor now uses the system, allowing organizations to more easily understand the risks associated with identified vulnerabilities and talk in a common lexicon,” he says.
The Silicon Valley CEO expects a similar result if the Senate bill is passed, because vendors will be attracted to the federal government’s large budget.
“If the government wants to buy 1,000 refrigerators for their break rooms that are more efficient and precise because of built in IoT sensors, only manufacturers that meet the criteria will be considered,” Rothrock says. “The result is that manufacturers are going to build refrigerators that meet the requirements for the government and for consumers, because they will not want to invest in separate manufacturing lines. The impact to the internet will be a reduced risk of another Mirai Botnet DDOS attack because of unsecured unpatched IoT devices. This will not totally get rid of IoT risk, but may bring it down to an acceptable level of risk.”
The IoT market is projected to be worth more than $1 billion annually beginning this year, Rothrock says. “The next security company that can secure IoT devices is the one to invest in.”
More stories related to security of the Internet of Things:
As use of IoT devices explodes, detecting vulnerabilities becomes nascent industry
Security of the Internet of Things takes on new urgency
Survey finds most consumers think security should be built into IoT devices