When the Biden administration came into office, they were greeted with a string of cyberattacks in rapid succession: SolarWinds, Oldsmar, Colonial Pipeline. In response to intrusions like these, the U.S. and countries around the world are passing Internet of Things (IoT) security legislation to create standards that can help protect their national interests. But that’s a massive task. What have governments done so far, and how much can this truly help prevent attacks from happening?
In the U.S., the response started more on a state-to-state basis, mostly driven by California, said said Hadyn Povey, founder of Secure Thingz and chief security officer at IAR Systems.
“California was in the lead with this around some consumer IoT legislation,” Povey said. “As of the first of January 2021, … it became illegal to sell consumer electronics devices in the state of California which didn’t meet a certain level of hygiene, predominantly around some of the passwords and identification of devices, update management and so on so forth. There were a number of other states – Oregon and Washington state – that looked into those technologies and requirements, as well.”
IoT security legislation
As a result of those cybersecurity actions, a rare piece of bipartisan legislation was signed into law as the IoT Cybersecurity Improvement Act, toward the end of the Trump administration. According to Povey, it mandated that all federal purchases of connected equipment had to meet a certain standard of cybersecurity hygiene (similar to California), including using proper identification, using cryptographic frameworks as opposed to simple passwords, making sure federal agencies are made aware of any critical vulnerabilities and ensuring updates are available for a defined period.
The Biden administration added a second piece of legislation around software bill of materials, or SBOMs. SBOMs are essentially a laundry list of what is in a piece of software or equipment and can be a key defense against supply chain attacks. This is especially important in industrial cybersecurity, because when you look at large industrial control systems, you don’t tend to see all of the libraries or code bases, and many of those fundamental code bases are the pieces that can get flawed. As a result, there can be a trickle-down effect into related systems, as seen with SolarWinds.
“A great example of this, a very technical one, is something called TLS, transport layer security,” Povey said. “About three or four years ago now, it was found that one of the main vendors of this TLS stack, they found a flaw, a critical compromise. And we know that that impacted at least 8 billion devices, many of which are in control systems. There’s no way, as a standard user, you’ll know which systems have been impacted and which were not. So the SBOM legislation is really important in terms of enabling people to understand the additives.
“I kind of think of it as a farm-to-fork equivalent,” Povey said. “If I go to my local supermarket, and I pick up some steak off the shelf, ultimately you could trace back which meat production facility that went through, which farm it came from, actually what medicines the animal had. But we don’t do that for our electronics. And given the criticality of so many of these systems, it’s just bewildering.”
Global cybersecurity
A big issue impacting IoT security is globalization. Companies and governments are so intertwined now that countries need to be working together to forge a common approach to securing systems. According to Povey, there are a lot of commonalities developing in how different countries focus on industrial cybersecurity. Povey has been working with team members at the IoT Security Foundation, a global non-governmental organization based in the U.K. to help ideate some of these international standards. Their work has resulted in 13 best practices organizations can use in the IoT cybersecurity domain.
Those best practices are available on the IoT Security Foundation website or you can search on the EN 303 645 legislation from the European Telecommunications Standards Institute (ETSI) in Europe.
Povey said many of the same recommendations in the American legislation also exist in the U.K.’s Product Security and Telecoms Infrastructure Bill, which is going through the last stages of Parliament now. More broadly, Europe has the EN 303 645 requirement, which is being developed by ETSI and picked up by the EU Commission. The same regulations outlined in the 303 645 are being adopted in India, Australia, Singapore, Japan and other countries.
“This is becoming this level of hygiene that we want to see in IoT devices,” Povey said. “At an industrial level, these things still hold true, but there is a slightly different set of requirements also available, called the IEC 62443 specification. This defines security at all of the different levels in industrial control systems. Right down at the bottom, it really defines what needs to be done in the system design to protect that and protect it against perhaps level one, misconfiguration, all the way up to level four, which is being resilient and delivering availability against a nation-state attack.”
Barriers to IoT security legislation
Of course, there are still barriers to security legislation. The first major barrier is simply that cybersecurity is challenging for many organizations. For companies that already have a product in market, adding security is an extra complication and cost. It’s also difficult to prove that an organization is meeting security requirements. Finally, Gartner recently estimated that there’s a shortage of three and a half million cybersecurity experts globally.
“We can’t educate our way through that problem,” Povey said. “There’s not enough people in universities at all to hit those sort of numbers. So the way in which we have to start addressing that is by having better tools and integrating security right into the start of the design process. It shouldn’t be an afterthought. It becomes harder and more expensive. So we have to do it early.”
The other challenge people have around security legislation is they don’t know how to factor the cost of it. Do companies need to spend $100 to save $10 or vice versa? Povey said the way in which we value security needs to change.
“It’s really important that we understand the value of security properly, understand that security not only stops the malware attacks, and that has huge brand impact, but also protects intellectual property,” Povey said.
The big question is whether legislation is enough to thwart attacks. There will always be threat actors out there. The goal is to make sure the defenses are sufficient to make the bad guys look at different targets.
“If you’re a nation-state and you want to bring down a power grid, at some level you’re going to do it whether it’s an attack through cybersecurity or whether you go and beat an employee over the head with an iron bar. You’ll get to the control system one way or other,” Povey said. “But the legislation helps. It puts in a new low-water mark that people have to achieve. It takes out the drive-by shootings in the cybersecurity sense, and it brings up all of the boats in the harbor, to mix the metaphors. It’s making it better for everybody and chasing some of the simple misdemeanors out of the system, so that we can focus on the next tier of problems.”
Check out Part 1 of our interview with Haydn Povey, where he discusses the state of IoT security and why industrial devices are under attack more than ever. And check out the Industrial Cybersecurity Pulse YouTube page to view previous installments from our expert interview series.
Do you have experience and expertise with the topics mentioned in this article? You should consider contributing content to our CFE Media editorial team and getting the recognition you and your company deserve. Click here to start this process.