Regulating the IoT: Impact and new considerations for cybersecurity and new government regulations
In 2019 we have reached a new turning point in the adoption of IoT – more markets and industries are migrating to a cloud-based infrastructure, and as the IoT continues to gain popularity and more devices and data move online, lawmakers and legislators around the globe are taking note.
An often-critiqued part of IoT growth is its impact on cybersecurity and concerns around the ability to keep networks secure from cyber-attacks as they grow in size and complexity.
In recent years, legislators have been attempting to address the issue of cybersecurity in the IoT. In the U.S., this has manifested through bills like the IoT Consumer TIPS Act of 2017 and the SMART IoT Act – but not much traction was gained until 2018.
Last year, California became the first state in the U.S. to pass a cybersecurity law covering IoT devices: SB-327, set to be put into law in 2020. The law requires that manufacturers of a device that connects directly or indirectly to the internet must be equipped with “reasonable” security features that are designed to prevent unauthorized access, modification or information disclosure. The bill aims to protect consumers as a first step, but could also potentially be applied to larger, enterprise solutions with future revisions.
The bill, though greatly lauded as a significant first step for legislative-protected connected device measures, doesn’t come without critics. Many cybersecurity experts argue that the bill is too vague and could allow for manufacturers to leave security holes like ones that helped the Mirai botnet attack of 2016 spread.
Most recently, members of the U.S. Senate introduced a bill – the Internet of Things (IoT) Cybersecurity Improvement Act of 2019 – that looks to address cybersecurity in connected devices from a federal perspective. It would require agencies within the federal government and contractors and vendors providing IoT devices to the government to be more transparent in communicating any cybersecurity vulnerabilities associated with the devices.
From consumer cybersecurity to enterprise systems used by the federal government, legislators in the U.S. are starting to take action to better control the issue of security between IoT devices and the ever-growing cloud.
Global measures
From a global perspective, both the UK and Japan have made commitments to addressing IoT cybersecurity and developing guidelines and regulations for manufacturers and industry stakeholders. In 2018, the UK government launched a Code of Practice (CoP) for the Internet of Things security, aimed at improving baseline security and advancing an industry-wide ‘security by design’ approach for those contributing to the IoT. The security by design approach encourages manufacturers to develop IoT devices with security as a central component of its use, rather than working backwards to try and create security measures via software updates or other tactics.
Where the UK’s measures are more passive, Japan’s recent measures are more radical and designed to aggressively approach the issue of unsecured IoT devices across the country. In February of this year, Japanese officials from the National Institute of Information and Communications Technology announced that they would start an investigation into 200 million IP addresses across the country in an attempt to find devices that have poor or compromised security. Its goal is to help Internet Service Providers and telecoms better understand vulnerabilities in their networks and devices, so they can more effectively create revised cybersecurity measures, whether it be through firmware updates or cloud-based.
These efforts from global leaders like the UK and Japan offer a vision of the future where cybersecurity for IoT devices are prioritized and used to drive change with manufacturers, vendors and others with a stake in the IoT.
Other IoT cybersecurity considerations for lawmakers
Best practices, baseline standards and requirements for better dissemination of information are all a good first step in addressing IoT cybersecurity from a legislative perspective. Manufacturers, vendors and those contributing widely to IoT growth should be held to certain standards and requirements for protecting customers and end-users. But there is a lot of complexity to be found in protecting the IoT – and much of the legislature being introduced today doesn’t provide a deeper look into various solutions that could also help vendors protect their devices for various applications.
Lawmakers and those responsible for developing new cybersecurity regulations should look at security beyond the software level, looking at end point or embedded devices.
An IoT device can either be protected by the network using tools such as router rules and firewalls or by using the security built into the CPU to detect and block attacks, authenticate access, analyze communication, and utilize TEE or secure-boot etc.
Today’s device security is dependent on the CPU to protect against multiple vectors of attack and adapt to a dynamic environment that introduces new risk all the time. In many cases a security breach comes from simple oversight by the manufacturer or the user. But this oversight also brings up the important consideration of active versus passive protection for connected devices and which is better for current and future IoT management. Active protection requires network managers to recognize the attack and actively take measures to prevent it and passive protection, where attacks are automatically blocked, requiring no manual or automatic action to take place.
A flash-based approach
An IoT device can either be protected by the network using tools such as router rules and firewalls or by using the security built into the CPU to detect and block attacks, authenticate access, analyze communication, and utilize TEE or secure-boot etc.
Network protection is vulnerable since it’s impossible to identify all entry points to an IoT edge device. Many of these devices are out in the public domain that could allow an adversary to have physical access. An example is a traffic camera. These devices have low computational power and standard protection practices such as anti-virus software does not apply. Today’s device security is dependent on the CPU to protect against multiple vectors of attack and adapt to a dynamic environment that introduces new risk all the time. In many cases a security breach comes from simple oversight by the manufacturer or the user.
Intel Spoiler, Meltdown and Mirai botnet are recent attacks that uncovered fundamental issues with CPU designs. While chip vendors tried to regain trust from the market by developing software patches, these too have limited efficacy against current and future breaches due to internal design flaws, coding errors, and external hacking.
An innovative approach is to protect the flash itself, even from the processor and the software that is running on it: Creating a gatekeeper in the secured flash that blocks write operations to the protected memory blocks, making it impossible for attackers to alter the firmware with any malicious code even in cases where the attacker gain full control of the host / OS. This approach is agnostic to the processor and any software that is running on the device and avoids any latency at boot time or run time.
Of course, today’s devices require updates. Protecting the flash creates a secure channel between the device’s flash all the way to the cloud that neither the network nor the software and processor within the device can breach, thereby extending the trust beyond cloud-to-processor to cloud-to-flash and allowing for a secured update of the protected flash without exposing it to its host.
With billions of IoT endpoints that will ultimately make up society’s crucial infrastructure, a new approach is needed to protect the memory of edge devices without depending on the integrity of the CPU controlling it.
It is necessary for the entire IoT industry to identify an end-to-end solution that secures the entire chain of vulnerability from deeply embedded endpoints, to the cloud, and up into the enterprise management layer by identifying the single critical path that a persistent attack must pass through and recognizing the fact that many new threats will be presented utilizing human tendency to error and introduce bugs, mismanage passwords, etc. By offering increased awareness of alternate solutions such as cloud-to-flash, passive hardware base cybersecurity and management, both legislation and vendors can come together to develop more stringent, granular solutions for helping manage the future of the IoT.