IoT Security Compliance. IoT Security Standards. IoT Security Frameworks. All new buzzwords that are picking up steam.
So imagine our surprise when we talk to IoT device manufacturers about why they continue to ship products with bad security and the reason they don’t fix it. To manufacturers of IoT devices it’s quite simple: customers are not demanding it.
Ok, but does a builder construct a house without locks because no one explicitly asked for locks? Of course not!
There are numerous IoT security standards and regulations under development. But a standard means nothing if it cannot be enforced.
Ah, but things are changing….
Policy makers recognize that without “market incentives” (i.e. customer demand) manufacturers will not spend money on security, especially with the already tight margins on many IoT devices. Device makers are going to find themselves losing access to key markets if they don’t start cleaning up their security act. Here are two examples of recent developments in the United States.
IoT Compliance Standards with Penalties
In March, the bi-partisan Cyberspace Solarium Commission issued its recommendations on a whole of nation strategy for defending the US from cyberattacks. The report included 57 different legislative proposals to put the strategy in place. This summer, many of the proposals are under consideration in Congress, particularly in the annual budget for the DOD.
Two sections of recommendations are particularly important for the IoT market, under the overall strategy to “Reshape the Cyber Ecosystem Toward Greater Security”. The recommendation:
“seeks to promote the creation of more secure technology—both by incentivizing product manufacturers to scrap a ‘first to market’ mentality in favor of a ‘secure to market’ approach and by ensuring that they have access to trusted suppliers.” (p. 71)
Recommendation 4.1 is to establish a “National Cybersecurity Certification and Labelling Authority.” While voluntary, companies will need to attest to the security of their products against published standards. And the FTC will be empowered to levy fines for false attestation.
Consumers will be educated to make purchasing decisions by comparing the security label, like they do with Certified Organic products. Federal purchasing guidelines would be updated to require these labels.
Recommendation 4.2 has more teeth – it would make final good assemblers of devices liable for shipping products with known vulnerabilities:
“Congress should therefore enact legislation establishing that final goods assemblers of software, hardware, and firmware are liable for damages from incidents that exploit vulnerabilities that were known at the time of shipment or discovered and not fixed within a reasonable amount of time.” (p. 76)
Getting these recommendations passed into law may take time. However, it is clear that policy makers recognize that the lack of IoT device security is a national security threat. Therefore, many legislators are working hard to make the market require better security practices.
IoT Security Compliance Frameworks
In 2018 the NIST Cybersecurity for IoT Program published a report on botnets. The report was ordered by President Trump in Executive Order 13800 to Strengthen the Cybersecurity of Federal Networks and Critical Infrastructure. This included a “Botnet Roadmap” defining the steps forward to address the lack of IoT security.
NIST has been very active in this area. They published final baseline guidelines at the end of May for IoT Security in NISTIR 8259 and 8259A. And as defined in the roadmap, NIST is now working on drafts of the “Federal Profile” for NISTIR 8259.
“The Federal Profile will identify the default minimum set of technical and non-technical capabilities necessary for any type of IoT device used within a Federal environment. The Federal profile may also be useful to non-Federal organizations, or they may choose to create their own baseline profiles by choosing a different set of capabilities and elements from the catalog.”
Soon these will be incorporated into the Federal Acquisition Regulations (FAR). That means if you want to sell your IoT device to the Federal government, it will need to meet cybersecurity standards. And the Botnet Roadmap includes the development of similar profiles for different verticals, including home users.
Comply or Die a Slow Death
These are just two recent developments that show the writing is on the wall for IoT device manufacturers to take firmware security seriously. Just as cloud software companies needed to incorporate best practices in cybersecurity to achieve compliance for their customers, IoT developers need to do the same. Starting now. They need to build robust product security development practices if they wish to remain viable in the marketplace. Otherwise, they will die a slow death.