U.S. Senate Bill Addresses Critical IoT Security Gaps

IoT devices are not only being increasingly used to provide critical functionality for people and infrastructure, they are also being used by criminals in major cyberattacks.

Congress is finally taking notice of the growing problem… Virginia’s Democratic Senator Mark Warner and Colorado’s Republican Senator Cory Gardner have introduced a new bill titled, “The Internet of Things Cybersecurity Improvement Act of 2017”.

The bill includes reasonable security recommendations for federal government agencies to consider when purchasing IoT-related and edge computing devices:

  • Internet connected devices purchased by the US government are forbidden from having hard-coded (unchangeable) usernames and passwords.
  • Vendors are required to ensure that their devices are patchable and free from already known vulnerabilities at the time of purchase.
  • Firmware updates must have an effective authentication mechanism, such as a secure digital signature, which prevents unauthorized updates.
  • The device must use only industry-standard protocols and technologies for communications, encryption, and interconnection with other devices or peripherals.
  • Software and firmware components must be updated or replaced in a timely manner to fix or remove a vulnerability or defect in a properly authenticated and secure manner.
  • Devices must be repaired in a timely fashion with respect to any new security vulnerability discovered.

By establishing clear guidelines for contractors and vendors in the procurement process, the government is nudging the market in the right direction. If implemented, these guidelines can go a long way toward minimizing the risks posed by improperly secured IoT devices.

Government action alone may not be enough to persuade the broader market to take IoT security more seriously. Whether or not the Senate bill becomes law, businesses should adopt the same requirements in their procurement process. As non-compliant IoT vendors are shut out of the market, we will all be better protected against this very real and growing cyber threat.