As the world moves toward interconnection of all electronic devices, the proverbial internet of things (IoT), device manufacturers prioritize speed to market and price over security. According to Nokia’s most recent threat intelligence report, IoT devices are responsible for almost a third of all mobile and Wi-Fi network infections.

This ratio will likely grow dramatically as the number of IoT devices continues its exponential growth. A recent report from Fortinet warns that the rapid introduction of edge devices will create opportunities for more advanced threats, allowing sophisticated attackers and advanced malware to “discover even more valuable data and trends using new EATs [edge access Trojans] and perform invasive activities such as intercept requests off the local network to compromise additional systems or inject additional attack commands.”

The Internet of Things (IoT) Cybersecurity Improvement Act, passed by the House in September and unanimously approved by the Senate last week, is a step toward warding off these threats and providing greater security in IoT devices. The act is headed to the desk of President Trump, who is expected to sign it into law.

The goal of the act, in the words of Congresswoman Robin Kelly (D-IL), one of the original sponsors of the legislation along with Representative Will Hurd (R-TX), is to “ensure that the US government purchases secure devices and closes existing vulnerabilities to protect our national security and the personal information of American families.” It aims to create “standards and guidelines” for the federal government to follow with the hopes that the requirements also make their way into private sector manufacturing.

NIST to publish IoT security standards within 90 days

The bill expects these standards and guidelines to be developed “collaboratively within and among agencies in the executive branch, industry and academia” and defines the IoT according to the second draft of the National Institute for Standards and Technology (NIST) Interagency or Internal Report NISTIR 8259, which was first published in January 2020 and then revised in July. Consistent with that NIST Definition, IoT devices must:

  • Have at least one transducer (sensor or actuator) for interacting directly with the physical world, have at least one network interface, and are not conventional information technology devices, such as smartphones and laptops, for which the identification and implementation of cybersecurity features is already well understood.
  • Can function on their own and cannot only function when acting as a component of another device, such as a processor.

Under the bill, the legislation requires the director of NIST to publish within 90 days of enactment standards for the federal government on the appropriate use and management of IoT devices by agencies, including minimum information security requirements for managing cybersecurity risks associated with such devices.  These standards and guidelines have to be compatible with NIST’s existing efforts related to IoT devices and must incorporate identity management, patching and configuration management.

Copyright © 2020 IDG Communications, Inc.

Source link

By admin