A Step in the Right Direction: The IoT Cybersecurity Improvement Act
A constantly growing network of connected devices – also known as the Internet of Things (IoT) – is expanding the landscape and reach of information technology and enabling digital business transformation. Experts project that by 2030, there will be 24.1 billion active IoT devices, up from 7.6 billion in 2019. But today, a lack of industry-wide cybersecurity standards, a surge in rogue connected devices and widespread risky remote work habits have created a perfect storm for cyber attacks.
More than half of the IoT devices connecting to corporate networks today are consumer-facing. Companies that manufacture and deploy these devices do their best to secure them, but there is often a lack of adequate levels of protection. As a result, attackers can infiltrate these devices and put sensitive data and systems, and in some cases human safety, at risk. To put this in perspective, a recent Nokia study reveals that IoT device infections skyrocketed by 100% from 2019 to 2020.
While there’s much work to be done to tackle the rampant “IoT insecurity” challenge, U.S. public and private sectors collectively witnessed a step in the right direction with the newly passed Internet of Things Cybersecurity Improvement Act of 2020. Here’s what you should know about the law and how it can help shape and strengthen your organization’s own IoT security approach – regardless of industry.
What is the IoT Cybersecurity Improvement Act of 2020?
The IoT Cybersecurity Improvement Act of 2020 became public law in December 2020. This bit of legislation aims to establish minimum security requirements for IoT devices owned or controlled by the federal government. While it does not include “conventional IT devices such as smartphones and laptops,” the bill’s intentionally broad definition encompasses everything from smart thermostats to hospital beds, critical infrastructure, national arsenals and more.
The Act acknowledges that IoT devices present a unique set of problems to organizations if not appropriately secured. And while it specifically addresses supply chain security risks to the federal government, as the first bill of its kind to be passed into law, the Act is expected to have far-reaching implications across enterprise and consumer markets.
Here is a high-level look at what’s covered:
- The National Institute of Standards and Technology (NIST) must now publish standards and guidelines, including minimum information security requirements for managing vulnerable IoT devices that present risk. The Office of Management and Budget (OMB) must then review federal security policies and change them, as necessary, to align with NIST recommendations.
- The NIST security standards must address four main categories: secure development, identity management, patching and configuration management.
- When security vulnerabilities are identified within IoT devices owned or controlled by federal agencies, the responsible contractor or vendor must report and resolve the security vulnerability to increase transparency and help accelerate risk mitigation efforts.
How to Step Up Your Organization’s IoT Security
IoT devices are known to have many firmware and software vulnerabilities that can be accessed via weak credentials. It’s estimated that at least 15% of IoT devices use default credentials that are hardcoded into the device (and have never been changed). This creates significant opportunity for attackers who target these devices to gain a foothold within networks. They can use these credentials to move laterally, escalate privileges and eventually gain access to an organization’s most critical and sensitive assets.
Today, any connected device can represent privilege risk based on the systems and data it is connected to, and who can access the device. That’s why it’s so important to identify each device, and understand how it communicates with other devices, systems and applications, and which people have access to it. But with so many devices online and so many employees working from home, it’s hard enough for IT and security teams to take inventory of all the IoT devices on their network, let alone ensure they meet enterprise security and compliance requirements.
Automated tools can help make this feasible by continually finding new devices and assessing the network, helping to ensure patches are pushed and weak or default credentials are eliminated. When coupled with a centralized tool that controls privileged access to systems for human and machine users based on a Zero Trust framework, organizations can enforce consistent security and compliance policies and better manage IoT devices across their lifecycles.
CyberArk’s integration with Forescout and Phosphorus empowers organizations to reduce IoT risk by driving greater visibility and shrinking the attackable surface. The three solutions work harmoniously to provide IoT security rigor with continuous detection, management and monitoring of IoT devices and their credentials. This pre-built integrated solution makes life easier for IT and security practitioners focused on strengthening IoT security within their organizations, while helping federal agencies and partners to meet the mandates of the IoT Cybersecurity Improvement Act of 2020 across critical identity management, patching and configuration management domains.