This week, President Trump signed The IoT Cybersecurity Improvement Act, which has implications for the future of security in the connected world. Security experts weighed-in on what the law could mean for the industry:
According to Edgard Capdevielle, CEO of Nozomi Networks,a leader in OT and IoT security and visibility:
“The signing of the IoT Cybersecurity Improvement Act into law is a solid step forward for IoT security. Although it only applies to devices purchased or managed by the government, its purchasing power will provide a powerful incentive for manufacturers to adopt the standards. And while the hard work of developing device standards hasn’t been completed, NIST involvement will help drive global adoption of IoT device security standards that we believe will go a long way toward improving overall industrial and critical infrastructure security.
The IoT device security bill calls out four important areas for the creation of standards and guidelines to manage cybersecurity risks:
Secure development
Identity management
Patching
Configuration management
It also directs NIST to work with the U.S. Department of Homeland Security, along with “cybersecurity researchers and private-sector industry experts” to publish guidelines for reporting and remediating vulnerabilities. The guidelines will also need to align with “industry best practices” and widely adopted IT standards ISO 29147 (vulnerability disclosure) and 30111 (vulnerability handling).
You can never guarantee zero risk...that's why enterprise and industrial organizations must put additional security measures and technologies in place to shore up their IoT security.
That includes using AI-powered solutions that can quickly identify the hundreds or even thousands of IoT devices connected to the network and assess their level of risk or vulnerability to help prioritize fixes and response. By effectively managing vulnerabilities of their IoT devices, security teams are one step closer to protecting against cyber threats and the risk of downtime due to cyberattacks.
Nozomi’s 2020 OT/IoT Threat Landscape Report found that In the first six months of this year, hackers used IoT botnets and shifting ransomware tactics as their weapons of choice for targeting IoT devices in operational networks. With more than 5.8 million enterprise and automotive IoT devices expected to be connected to the Internet this year according to Gartner, this new law will help make IoT security a top priority.”
According to Yaniv Nissenboim, Vice President of Vdoo, a leader in securing connected devices:
“NIST has been anticipating the Act for over a year. A new set of NIST guidelines for IoT cybersecurity will soon be published. Given the focus on and demand for cybersecurity standards, we expect that federal agencies will quickly adopt the guidelines and insist on compliant products. We also expect the trend to spread to state governments (most have already introduced or passed IoT cybersecurity legislation) and then immediately onto private adopters and users. Companies that fail to demonstrate compliance might find themselves shut out of lucrative target markets for their IoT devices at some point.
We expect similar regulations and standards to emerge outside the US as well. Singapore has already launched a national rating system for connected devices' cybersecurity, and other nations will follow. This is an expected reaction of regulators to the increasing threat globally.
Given the device-development cycle, the time to get started is now.
IoT cybersecurity requires a very high level of expertise. The broad range of platforms, technologies, and protocols used in connected devices, as well as unique attack vectors and exploitation methods used by adversaries to compromise them, makes cybersecurity for these products a challenge. We expect to see more and more technologies for automating product security and compliance testing emerging to face this challenge. ”
###