Product Managers - IoT Cyber Standards in a Nutshell
The whirlwind growth of the Internet of Things (IoT) generates thumb-stopping statistics.
For instance, International Data Corporation President Vernon Turner predicts that there will be 80 billion devices connected to the internet by 2025 – which could mean 152,200 IoT devices connecting every minute.
But great power brings great responsibility. As the potential attack surface area expands exponentially, risks for everyone from governments to corporations to private individuals multiply manifold – for example, Security Intelligence reports that Mozi botnets have driven a 500% rise in IoT attacks recently.
To combat and control these risks in what is still a fledgling industry, the US Federal Government has introduced IoT cybersecurity legislation which will have far-reaching implications for IoT product teams in 2021 and beyond.
In fact, it creates a de facto baseline cybersecurity standard everyone must meet.
In this eye-opening blog post, you’ll find out:
- What the new cybersecurity standard is
- How it affects you
- What you can do about it
- Noteworthy international cybersecurity standards
If you’re involved in the design, manufacture, and marketing of any IoT device – whether targeting public sector organizations or private individuals – compliance is essential to futureproof the viability of your product.
This blog post reveals everything you need to know right now.
What is it?
Here’s a breakdown of the new IoT cybersecurity standard:
- The Internet of Things Cybersecurity Improvement Act of 2020 requires more robust cybersecurity from agencies for IoT devices owned by the Federal Government.
- Although its scope seems limited, provisions of the Act include instructions for the National Institute of Standards and Technology (NIST) to develop complementary security standards and guidelines for the appropriate use and management of all relevant IoT devices – including establishing minimum cybersecurity requirements for managing risks.
- On the face of it, this legislation only concerns IoT device contractors supplying or bidding for government contracts by the time compliance with NIST guidelines becomes mandatory in December 2022. But since the US Government is the world’s largest consumer, its minimum standards will cascade throughout the entire industry and create a new defacto standard in security and labeling for all connected devices. Put simply, all IoT device manufacturers should take note of the NIST IoT cyber standards – even if you focus exclusively on the private consumer market.
Who does it affect?
Compliance will trickle down to product teams focusing on industrial and home IoT products. But if you’re an IoT manufacturer providing products and services to the federal government (or are considering doing so), you need to take note right now.
To clarify, this could mean you if you’re involved in developing products like:
- Smart farming IoT devices which the U.S. Department of Agriculture (USDA) might be interested in – like drones, motion detectors, light detectors, smart irrigation systems and cloud-based data analytics tools for crop and livestock management.
- Water quality IoT devices that are within the remit of the Environmental Protection Agency (EPA) – such as sensors on buoys that monitor water quality and monitor the presence of substances harmful to marine life and humans.
- Secure IoT passenger processing, security and surveillance products that would be useful to the Transportation Security Administration (TSA) – like smart security cameras, facial recognition devices, and automated checkpoints.
How does it affect me?
In a nutshell, the IoT Cybersecurity Improvement Act (2020) and subsequent NIST standards require that cybersecurity is a top priority throughout the whole lifecycle of an IoT product.
These key components clarify how your IoT product team might need to adapt:
- NIST standards and guidelines for IoT devices will cover secure development, patching and configuration management, as well as identity management. This will set a new national standard that addresses (amongst other issues) the longstanding vulnerabilities created by ineffectively setting secure device passwords.
- NIST guidelines for the disclosure of IoT device vulnerabilities mean that there will be stringent guidelines for reporting all cybersecurity vulnerabilities in any IoT devices owned or controlled by a federal agency. Reported content should include disclosure of each vulnerability as well as the resolution. The requirement applies to contractors and subcontractors too.
- Mandatory contractor compliance with NIST standards and guidelines means that by December 2022, all federal agencies are prohibited from procuring or renewing a contract to obtain any IoT device that the Chief Information Officer (CIO) deems non-compliant.
These are the main implications of the IoT Act. But If you haven’t cast your eyes on it already, now’s the time to read the NIST draft guidance on IoT device cybersecurity for a granular breakdown.
What can I do about it?
As you can see, if you’re an IoT device product team touting for new business, it’s time to get your cyber ship in order – if you haven’t done so already.
Moving towards this new gold standard as soon as possible is definitely advisable and could be the final nail in the coffin for manufacturers or brands who rush devices into production in order to accelerate sales, with only the flimsiest Security-by-Design (SBD) that’s almost instantly obsolete and vulnerable to hackers.
So here are a couple of smart moves you can make right now:
- Adopt a proactive cybersecurity solution that protects consumer devices throughout their entire lifecycle. Endpoint detection and response (EDR), means threats are constantly monitored, attacks are thwarted in real-time, and the secure remote provision of regular security updates protects every product against the latest threats. Consequently, buyers have peace of mind that those handy devices which are part and parcel of everyday home or work lives are safe, secure, and private.
- Offer a cybersecurity system with 24/7 security monitoring – too many cloud-based smart devices have suffered from high-profile hacks in recent years, but stronger security protocols at the device level can mitigate against this.
- Clearly label your devices as compliant with the new standards – since government procurement leaders will be held to new, exacting compliance standards, make this part of their jobs easier by spelling out your product’s strict adherence clearly. Transparent product labeling aligned to new cyber protection standards will win customer trust. If your IoT product already ticks all of the above cybersecurity boxes, bravo.
If not, it’s high time to go back to the drawing board.
International rules and standards
Don’t forget that if you’re trading in various international jurisdictions, many foreign governments and transnational lawmakers are also bolstering their IoT device cybersecurity standards:
- New UK cybersecurity laws will require that all consumer connected products have to comply with three new security requirements – a vulnerability disclosure policy allowing accessible reporting of security issues, a ban on universal default passwords, and a requirement at point of sale to disclose the minimum amount of time during which a device will receive security updates.
- The EU Cybersecurity Act enables a cybersecurity certification framework across the EU creating schemes for various ICT products and services. Each scheme specifies the relevant categories of services and products, the cybersecurity requirements including technical specification and standards, the intended level of assurance and type of evaluation.
Rules and regulations are tightening worldwide, but if your IoT product team has its collective eye on the ball, you can use your compliance as an opportunity to leverage consumer trust and sales – a bonus rather than a burden.
In other words, Cyber as a Feature is set to become an even more powerful IoT brand differentiator and should be leveraged for growth across all channels.
We hope this run-through of the new IoT cybersecurity standard was an eye-opener.
Here are a few key takeaways to consider:
- The new IoT cybersecurity standard is set to become a new standard applied to all connected devices. Originally engendered by the federal government to ensure the highest level of cyber protection for government purchases, the power and influence of the government as the nation’s biggest consumer will deem this as a new defacto standard for all IoT, or connected devices.
- IoT product manufacturers who have already moved beyond SBD to proactive cybersecurity that provides comprehensive security and privacy throughout the device lifecycle, and protects the privacy of users are ahead of the game in terms of compliance.
- Countries all over the world are applying similarly robust IoT cybersecurity standards – take note if you trade internationally.
- Cyber as a Feature (CaaF) should be used as a highly persuasive differentiator when you’re selling a connected device. As new cybersecurity legislation rolls out worldwide, buyers will be looking for security.
- The new cybersecurity standard is an opportunity for you to position your company as a leader who values privacy and security – grab it with both hands and the benefits for your business are boundless.