The IoT cybersecurity improvement act: what does it mean, and how do we get ready for it?

Amir Haleem of Helium

Security concerns have been dominating news about IoT as of late, and with good reason. A recent survey shows that nearly half of U.S. firms using an IoT network have been hit by a security breach.With this kind of frequency, it’s no wonder the IoT Cybersecurity Improvement Act of 2017 was proposed.

Although designed primarily for vendors seeking government contracts, the bill has the potential to set key standards for the future of industry-wide IoT development, and can greatly influence the overall progress of IoT, says Amir Haleem, CEO of Helium.

The goal of the IoT Cybersecurity Improvement Act of 2017 is to “provide minimal cybersecurity operational standards for Internet-connected devices purchased by Federal agencies, and for other purposes.”

Under the proposed legislation, vendors will need to meet a number of requirements before they can contract with government agencies, including:

    • Devices must be free from any known vulnerabilities and defects
    • Devices must be able to receive regular software updates
    • Devices must not include any fixed or hard-coded credentials used for remote administration, the delivery of updates, or communication

Considering the safety and economic implications of privately owned IoT networks, however, it is entirely likely that regulations such as these could be expanded beyond government contracts. Ted Koppel has warned that an IoT attack on the U.S. power grid could cause a massive outage, and when researchers in Israel simulated an attack on “smart lightbulbs” to control lights in a city block of offices, it showed that this is not mere alarmism.

For companies, such attacks can pose existential threats–DNS provider Dyn experienced a DDoS attack that may have cost 8% of its business. So while we certainly can expect more regulation and industry standards, organisations should take their own proactive steps to secure their systems.

Steps every company should take

It should be clear that the standard approaches to securing a network–patches, firewalls, spyware detection, educating employees and so forth–are not going to be sufficient to stem IoT threats. The combination of software infrastructure and remotely deployed devices adds new dimensions to security that require a new way of thinking about it.

However, there are a few steps that companies should take in order to ensure that they can not only prevent attacks, but also comply with up-and-coming legislation:

    • Encrypt the keys on each individual device for more control over the network, as each individual device can be monitored and managed (as opposed to a gateway that controls a specific area/region)
    • Use only derivatives of encryption keys for specific functions
    • Rotate keys regularly so that even if a device is compromised, it can be used by a hacker for only a short timeframe
    • Centralise visibility and control over the system so that you can quarantine and disable suspicious devices directly
    • Leverage hardware-based security, or protection that is produced by a physical device rather than software that is installed on a computer system, a tactic which analyst Patrick Moorhead has asserted is more secure than software because it cannot be altered, and may prevent malware from infiltrating the operating system and virtualisation layer

According to IDC, IoT investment is expected to total $1.4 trillion (€1.17 trillion) by 2021. IoT systems have already taken around twenty-five billion devices online , and according to a Hewlett Packard study, 70 to 80% may lack encryption and sufficient password protection.

These are prime targets for some of the worst kind of cyber attacks imaginable, and companies need to take action now to ensure that they’re protected. However, with the right approach, companies can build IoT networks that are highly secure, ensuring that the tremendous economic potential offered by IoT comes to fruition.

The author of this blog is Amir Haleem, CEO of Helium

Comment on this article below or via Twitter: @ VanillaPlus OR @jcvplus

RECENT ARTICLES

Connectbase expands baltic connectivity with Bitė partnership

Posted on: March 28, 2024

Connectbase has announced the addition of Bitė to its ecosystem. This partnership marks a step forward in enhancing connectivity options within the Baltic region, providing a link between local and

Read more

IOT Solutions World Congress 2024 connects semiconductor chips to industry

Posted on: March 27, 2024

Essential to manufacture computers, smartphones, cars, refrigerators or any electronic device, semiconductors are critical elements in the implementation of the Internet of Things. For this reason, IOT Solutions World Congress

Read more