U.S. Senators recently introduced legislation intended to improve the cybersecurity of Internet-connected devices. The Internet of Things (IoT) Cybersecurity Improvement Act of 2017 would require that devices purchased by the U.S. government meet certain minimum security requirements. The main points of the bill are aimed at vendors who supply the U.S. government with IoT devices who would have to ensure that their devices are patchable, do not include hard-coded passwords that can’t be changed, and are free of known security vulnerabilities.
Senator Mark Warner, a co-author of the bill, stated: “My hope is that this legislation will remedy the obvious market failure that has occurred and encourage device manufacturers to compete on the security of their products.”
The recent spate of malware attacks and the public exposure of IoT device vulnerabilities in so many sectors have elevated the visibility of cybersecurity and it is encouraging to see that these issues are being addressed at the highest levels. And while this legislation is a positive step forward, the effort begs the question, Is it Enough? And if the answer is no, then the responsibility is on the device developers (where it should be) to step up their efforts to use technologies that are available today to ensure that the devices that are proliferating in the commercial markets are safe, ensure privacy, and maintain data security.
The many facets of security that need to be addressed with Internet-connected devices go well beyond the security requirements put forth in the IoT Cybersecurity bill. For example, developers need to consider authentication or licensing of components based on their unique identity, monitoring and securing system integrity, protection of data and communication, and secure updates and upgrades, and that’s just to name a few.
Oliver Winzenried, CEO and Founder of Wibu-Systems AG, outlined key areas that should be addressed in developing a security framework to protect IoT vulnerabilities. In each of these areas, mechanisms exist that can be implemented today:
- IP Protection: the actual assets – the IP in the code – can be encrypted with lightweight symmetric encryption and only decrypted on the fly.
- Product Protection: protect against counterfeiting products by encrypting data and decrypting only on licensed machines.
- Flexible Licensing: provide variable licensing options like pay-per-use, renting, subscription, etc. for software features. Vendors decide how licenses are deployed, either in app stores or user license portals.
- Tamper Protection: application code is digitally signed using asymmetric cryptography, with root public keys as securely stored anchors of trust. The devices validate authenticity and integrity themselves.
- Device identity: Connected devices authenticate themselves with tamper-proof private keys for example. Open standards like OPC UA are excellent solutions for trusted devices of different manufacturers to operate together.
You can read Oliver’s full comments in his article, Security Frameworks to Set the IoT and IIoT in Motion.
