The U.S. Congress recently introduced legislation to address the growing concern for security on IoT devices purchased by the U.S. government.
Does the proposal go far enough? Let’s take a further look.
Legislators point out that connected devices are expected to exceed 20 billion units by 2020 and they say that insecure IoT devices are one of the “most important emerging cyberthreats” to U.S. national security. While the proposed bill wouldn’t require security standards for all IoT companies, it would require a bare minimum of security standards for any IoT devices that the federal government purchases. Their hope is that by improving security standards for the federal government, which is a prime customer, standards for the entire IoT market would improve along with it.
If the legislation passes, the IoT Cybersecurity Improvement Act would require that federal government use only IoT devices that meet the IoT security standards recommended by the National Institute of Standards and Technology (NIST).
To get a better idea as to where NIST is focusing their IoT standardization efforts, it helps to read their whitepaper published in October 2018, Internet of Things Trust Concerns. The publication identifies 17 technical trust-related concerns for individuals and organizations before and after IoT adoption. NIST emphasizes that trust should be viewed as a level of confidence. In their white paper, they consider trust on two levels: (1) whether a “thing” or device trusts the data it receives, and (2) whether a human trusts the “things,” services, data, or complete IoT offerings that it uses. This particular document focuses on the human trust, and as such, highlights technical concerns that can negatively affect one’s ability to trust IoT products and services.
The security concerns noted are: Scalability; Heterogeneity; Ownership and Control; Composability, Interoperability, Integration, and Compatibility; “Ilities”; Synchronization; Measurement; Predictability; Testing and Assurance; Certification; Security; Reliability; Data Integrity; Excessive Data; Performance; Usability; and Visibility and Discovery. All of these concerns are described in more detail in the white paper with suggestions, in some cases, to mitigate those risks.
In the security realm, they note that trust is a concern for all “things” in IoT systems. For example, sensor data may be tampered with, stolen, deleted, dropped, or transmitted insecurely, allowing it to be accessed by unauthorized parties. IoT devices may be counterfeited and default credentials used. Furthermore, unlike traditional personal computers, there are few secure upgrade processes for “things,” such as patches or updates.
The document elaborates on the issue of the usage of default passwords and credentials as an ongoing problem that has plagued the security community for some time. It further points out the weaknesses inherent in the upgrade process in which manufacturers deliver patches and updates for IoT devices that have yet to be mitigated with standard practices.
Finally, the white paper points out the significant differences in trust concerns for an IoT system compared to traditional IT systems, such as much smaller size and limited performance, larger and more diverse networks, minimal or no user interface, lack of consistent access to reliable power and communications, and many others.
The proposed legislation and NIST’s efforts to propose standardized security guidelines for IoT suppliers to the U.S. government is a move in the right direction. The risks in the IoT clearly necessitate new approaches to device planning and design to develop a firm root of trust in these devices. However, it is a movement that needs to be recognized and embraced by the global community as well.
In parallel to this effort, you might be interested in reading the Industrial Internet Consortium's view on the characteristics of Trustworthiness in Industrial IoT systems, in their Introduction into Trustworthiness.