Federal agencies have been steadily adopting and deploying sensors as part of the Internet of Things, but the security of IoT devices has been a constant concern for government IT leaders, especially at the Pentagon. Now, there’s more momentum than ever to make sure federal IoT environments are secured.
Last month, the National Institute of Standards and Technology released a draft interagency report on IoT cybersecurity standards, and concludes that without a standardized set of cybersecurity requirements, malicious actors could exploit security gaps and IoT systems could be vulnerable to cyberattacks.
NIST emphasizes the need for voluntary security standards, especially because the IoT industry is dynamic and in flux. However, there are legislative efforts underway designed to regulate certain standards of IT security for IoT systems in the government.
The report comes as several international initiatives to set IoT standards heat up. As FCW reports: “Security certification efforts underway in China and Europe, as well as a significant uptick this year in the use of botnet amplification attacks, has put U.S. agencies and industry in a race to set international baseline security standards for connected devices.”
NIST Offers Guidance on IoT Security
The draft NIST report, which the agency is taking public comments on through April 18, notes that “while there is no universal definition of IoT, common elements exist among the many high-level definitions and descriptions for IoT.” To NIST, IoT has two foundational elements: components connected by a network providing the potential for many-to-many relationships and some components with sensors and actuators that allow them to interact with the physical world.
“The growth of network-connected devices, systems, and services comprising the Internet of Things creates immense opportunities and benefits for our society,” the report states. “However, to reap the great benefits of IoT and to minimize the potentially significant risks, these networked connected devices need to be secure and resilient. This depends in large part upon the timely availability and widespread adoption of clear and effective international cybersecurity standards.”
The report describes five IoT technology application areas (and acknowledges the list is not exhaustive): connected vehicles, consumer IoT, health IoT, smart buildings and smart manufacturing. The report also describes 11 core cybersecurity areas and provides examples of relevant standards. The report notes that “cybersecurity for IoT is unique and will require tailoring of existing standards, as well as creation of new standards to address pop-up network connections, shared system components, the ability to change physical aspects of the environment, and related connections to safety.”
Without standards, IoT systems could have gaps in many areas, including cryptographic techniques, cyber incident management, network security, information security management systems, software assurance and more.
NIST recommends that agencies participate in the development of IoT security standards in standards-developing organizations and, based on each agency’s mission, cite appropriate standards in agency procurements.
Additionally, NIST recommends that agencies “support the development of appropriate conformity assessment schemes to the requirements in such standards,” citing the adoption of the Wi-Fi logo for products and devices that have been tested and certified by the Wi-Fi Alliance, a nonprofit member organization whose goal is to ensure that any device carrying the logo connects seamlessly to any Wi-Fi network.
However, NIST says that adoption of standards must be undertaken carefully to be successful. “The decision on the type, independence and technical rigor of conformity assessment should be risk-based,” the report says. “The need for confidence in conformity must be balanced with the cost to the public and private sectors, including their international operations and legal obligations. Successful conformity assessment provides the needed level of confidence, is efficient, and has a sustainable and scalable business model.”
Lawmakers Consider IoT Security Standards
Michael Hogan, the NIST official charged with editing the draft report, said at a public meeting of the Information Security and Privacy Advisory Board on March 16, that he was unsure of the need for mandatory IoT security certifications, according to FCW. He noted that Congress could pass legislation, but that NIST would be “neutral” on the issue, because it would be expensive and IoT is still evolving. “Maybe it needs to be done, but it’s not trivial,” Hogan said.
In August, a group of U.S. senators introduced a bill that would require vendors who supply the government with IoT devices “to ensure that their devices are patchable, do not include hard-coded passwords that can’t be changed, and are free of known security vulnerabilities, among other basic requirements,” according to a statement.
The legislation, the Internet of Things Cybersecurity Improvement Act of 2017, directs the Office of Management and Budget to develop alternative network-level security requirements for devices with limited data processing and software functionality, the statement notes. That way, Reuters reports, agencies could ask OMB “for permission to buy some noncompliant devices if other controls, such as network segmentation, are in place.”
The legislation also would direct the Department of Homeland Security’s National Protection and Programs Directorate to issue guidelines for each agency with respect to any connected device in use by the government and include policies and procedures for conducting research on the cybersecurity of an IoT device. Sens. Mark Warner, D-Va., and Cory Gardner, R-Colo., co-chairs of the Senate Cybersecurity Caucus, introduced the bill along with Sens. Ron Wyden, D-Ore., and Steve Daines, R-Mont.
Meanwhile, Sen. Ed Markey, D-Mass., and Rep. Ted Lieu, D-Calif., have encouraged fellow lawmakers to move forward with their proposed bill, the Cyber Shield Act, which would create a voluntary cybersecurity certification program for IoT devices. “The IoT era could also be considered the ‘Internet of Threats’ era if appropriate cybersecurity safeguards are not in place,” Markey said during a prerecorded video statement released during the Institute for Critical Infrastructure Technology’s winter summit on Jan. 29, according to Federal News Radio.
The bill, if passed, would allow the Commerce Department to set up an advisory committee of cybersecurity experts from academia, industry and consumer advocacy groups to create cybersecurity standards for IoT devices
Federal News Radio reports: “Under the legislation, device manufacturers would voluntarily submit their products for evaluation. Products that meet the advisory board’s cybersecurity standards would carry a cyber shield logo. The system has been compared to the Energy Star program developed by the Environmental Protection Agency more than 20 years ago.”