A bill has been introduced into the US Congress aiming to require certain security standards for Internet of Things (IoT) devices sold into the US government. This is a good first step, raising the issue in the minds of manufacturers and potentially setting a de facto standard.
Legislation raising the profile of IoT security is good news
The distributed denial-of-service (DDoS) attack on DNS service provider Dyn in October last year resulted in significant portions of the internet being offline in North America and parts of Europe for several hours. It was also the first major DDoS exploit to use a botnet of IoT devices, namely thousands of CCTV cameras and printers infected with the Mirai virus, and dramatically demonstrated how insecure devices can and will be harnessed by cybercriminals.
We have also seen, over the last two years, attacks on critical infrastructure in Ukraine by what security researchers believe to be the Russian group Sandworm, resulting in a cessation of electrical supply to entire sections of the country in the depths of winter.
These episodes demonstrate a growing risk of attacks launched from the IoT, but also of attacks on internet-connected operation technology devices (aka the Industrial IoT, or IIoT). Thus, the US initiative is a welcome first move in the direction of obliging vendors and practitioners of IoT to build security into their devices and networks.
The Internet of Things Cybersecurity Improvement Act of 2017 (IoT-CIA), which was introduced into the US legislative branch last week, aims to ensure that manufacturers of equipment to be sold and deployed into federal government IoT networks meet security standards. There is provision, among other things, for guaranteeing patchability and avoiding default passwords, all of which is a positive move that should spur other governments to think along similar lines.
"Concerns around security and privacy continue to haunt the smart home market," TE0003-001015 (April 2017)
"Nokia addresses the need for IoT security through its NetGuard IoT security solution," IT0012-000200 (March 2017)
Security Implications of the Internet of Things, IT0022-000277 (December 2014)
Rik Turner, Principal Analyst, Infrastructure Solutions