Perfection in Protection, Licensing, and Security

U.S. Introduces Legislation to Improve Cybersecurity of IoT Devices: Is it Enough?

WIBU-SYSTEMS AG
Marketing WIBU-SYSTEMS AG on August 24, 2017 at 5:52 AM

U.S. Senators recently introduced legislation intended to improve the cybersecurity of Internet-connected devices. The Internet of Things (IoT) Cybersecurity Improvement Act of 2017 would require that devices purchased by the U.S. government meet certain minimum security requirements. The main points of the bill are aimed at vendors who supply the U.S. government with IoT devices who would have to ensure that their devices are patchable, do not include hard-coded passwords that can’t be changed, and are free of known security vulnerabilities.

Senator Mark Warner, a co-author of the bill, stated: “My hope is that this legislation will remedy the obvious market failure that has occurred and encourage device manufacturers to compete on the security of their products.”

The recent spate of malware attacks and the public exposure of IoT device vulnerabilities in so many sectors have elevated the visibility of cybersecurity and it is encouraging to see that these issues are being addressed at the highest levels. And while this legislation is a positive step forward, the effort begs the question, Is it Enough? And if the answer is no, then the responsibility is on the device developers (where it should be) to step up their efforts to use technologies that are available today to ensure that the devices that are proliferating in the commercial markets are safe, ensure privacy, and maintain data security.

The many facets of security that need to be addressed with Internet-connected devices go well beyond the security requirements put forth in the IoT Cybersecurity bill. For example, developers need to consider authentication or licensing of components based on their unique identity, monitoring and securing system integrity, protection of data and communication, and secure updates and upgrades, and that’s just to name a few.

Oliver Winzenried, CEO and Founder of Wibu-Systems AG, outlined key areas that should be addressed in developing a security framework to protect IoT vulnerabilities. In each of these areas, mechanisms exist that can be implemented today:

  • IP Protection: the actual assets – the IP in the code – can be encrypted with lightweight symmetric encryption and only decrypted on the fly.
  • Product Protection: protect against counterfeiting products by encrypting data and decrypting only on licensed machines.
  • Flexible Licensing: provide variable licensing options like pay-per-use, renting, subscription, etc. for software features. Vendors decide how licenses are deployed, either in app stores or user license portals.
  • Tamper Protection: application code is digitally signed using asymmetric cryptography, with root public keys as securely stored anchors of trust. The devices validate authenticity and integrity themselves.
  • Device identity: Connected devices authenticate themselves with tamper-proof private keys for example. Open standards like OPC UA are excellent solutions for trusted devices of different manufacturers to operate together.

You can read Oliver’s full comments in his article, Security Frameworks to Set the IoT and IIoT in Motion.

Login or register now and enjoy all the benefits of a community!

To get the whole functionality of IndustryArena Forum you need to login or register. This process is absolutely free.

Password forgotten?
Contact request
Guest Photo
Your message
The controller within the meaning of Art. 4(7) GDPR is: IndustryArena GmbH, Katzbergstraße 3, 40764 Langenfeld, Germany.
You may reach our data protection officer under [email protected].

Purpose of processing
We process your personal data concerning the use of the contact form and the communication with the company of the newsroom as well as the transmission of your data to this company in accordance to Art. 6 (1a) GDPR. This constitutes a legitimate interest for us in accordance to Art. 6 (1f) GDPR.

Recipient of the data
Within our organization, those units gain access to your data, which are necessary to fulfil the above purposes.
Personal data will only be transmitted to third parties if this is necessary for the aforementioned purposes or if another legal basis exists. If necessary, we conclude the corresponding data protection agreements with third parties, in particular pursuant to Art. 28 GDPR.

Data storing
Your data will be transmitted to the company of the newsroom for further processing. The period of storing is the duration of the processing of your request by the respective company.

Select contact person

Newsroom Logo

Design options

  • Title text color:
  • Content background:
  • Content text color:
  • Navigation background:
  • Tab text color:
  • Active tab text color:
  • Link text color:
  • Active link text color:
  • Background image Background color:

    How do you want to position the background-image?

    Please note: Banners and skyscrapers are only saved for the current language. For other languages, change the language using the button at the top right.

    Set the link for the background image

  • Banner

    How do you like to align the banner?

    Please note: Banners and skyscrapers are only saved for the current language. For other languages, change the language using the button at the top right.

    Set the link for the banner

  • Skyscraper

    Set the link for the skyscraper

Please note:

Banners and skyscrapers are only saved for the current language. For other languages, change the language using the button at the top right.