Cybersecurity Update - August 10, 2017
As connected products are increasingly integrated into everyday life, measures to address the security of Internet of Things (IoT) devices continue to evolve. Some of the latest initiatives include the following.
NTIA issues guidance on cybersecurity communications
Last month, as part of an ongoing multi-stakeholder initiative, a working group of the National Telecommunications and Information Administration (NTIA) issued guidance to help IoT manufacturers more effectively communicate cybersecurity and privacy information to consumers. The working group considered guidance from other agencies, including the Federal Trade Commission and Department of Homeland Security, nonprofits, and industry.
The NTIA document, Communicating IoT Device Security Update Capability to Improve Transparency for Consumers, focuses on “key elements” for manufacturers to consider communicating to consumers prior to purchase, which are crucial for transparency and informed choice. They include informing consumers upfront whether their devices will receive security updates, how updates will be communicated (e.g., will they update automatically?), and when updates will end. NTIA also recommends addressing how users are notified about security updates; what happens when a device no longer receives update support; how the manufacturer secures updates; any costs for consumers to keep their devices current once updates end; and when or whether a device ceases to operate or loses functionality when security support ends, or whether users bear the risk of operating the device once security updates end.
The guidance emphasizes that updates and patches do not offer complete device protection and are not the sole security measures that IoT manufacturers and consumers should take. Thus, while the guidance provides a useful roadmap for IoT manufacturers, companies may wish to consider advising on additional security practices and policies that apply to the device and prudent steps for consumers to take to maintain device security, such as password management. The recent focus on communicating about IoT updates and patches appears to stem from the recognition that IoT devices are powered by software, and that software is updated and replaced, sometimes frequently.
Internet of Things (IoT) Cybersecurity Improvement Act of 2017
On August 1, Senate Cybersecurity Caucus co-chairs Mark Warner (D-VA) and Cory Gardner (R-CO) introduced a bill to provide minimum cybersecurity operational standards for connected products purchased by federal agencies. Per Senator Gardner, the Internet of Things (IoT) Cybersecurity Improvement Act of 2017 would “ensure the federal government leads by example and purchases devices that meet basic requirements to prevent hackers from penetrating our government systems.” The bill would require agencies to include a clause in procurement contracts requiring suppliers of connected products to meet basic industry-wide cybersecurity standards. Suppliers would be obliged to provide written certification that devices do not contain any known security vulnerabilities or defects, and allow for patching of security updates. In addition, connected devices would be prohibited from including hard-coded passwords, which can provide a back door for malware.
Although this bill would apply only to connected products purchased by the federal government, federal procurement standards are often mirrored by state procurement officials and can find their way into other specifications as well.
ANSI introduces first independent cybersecurity standard
Another development affecting cybersecurity of connected products is the finalization of the first independent standard for IoT device cybersecurity. The American National Standards Institute (ANSI) introduced UL 2900-1, General Requirements for Software Cybersecurity for Network-Connectable Products, on July 5. Developed as part of UL’s Cybersecurity Assurance Program, the UL 2900 series applies established security design principles to measurable criteria to assess vulnerabilities of connected products. UL 2900 has been recognized by the Food and Drug Administration, which is expected to formally announce its adoption in the next Federal Register notice.
As cybersecurity standards, guidelines, and proposed regulations for IoT devices proliferate, it is important to remember that the specific security measures adopted must be relevant to the type of information collected by a particular IoT device, including the potential sensitivity of that data.