Back to Blog
The IoT Cybersecurity Improvement Act: The First Step in Securing Connected Devices Against Cyberattacks

law blog img

The Internet of Things—otherwise known as IoT—is the moniker given to all internet-connected devices. Everything from smartphones to self-driving cars to smart sensors in factories, are considered IoT devices.

In 2015, the global IoT market was valued at approximately $743 billion USD. By 2025, that market share is expected to more than double to over $1.7 trillion USD. This growth is primarily fueled by the rollout of 5G, which is predicted to enable the connection of over 75 billion connected devices by 2025.

The sheer number of IoT devices, both already connected and those projected to be connected, creates a potential cybersecurity disaster. Each device represents a new opportunity for cybercriminals to execute an attack. And as the number of IoT devices grows, so does the number of attacks that target them. In fact, in 2019, Kaspersky IoT honeypots detected over 105 million attacks aimed at IoT devices. And device manufacturers just aren’t able to keep up.

However, this isn’t news—many have been sounding the alarm bells when it comes to the growing danger of the IoT for years. In response to these calls, the United States Congress passed the Cybersecurity Improvement Act in December of 2020. This act calls for the establishment of minimum security standards for IoT devices used and/or controlled by the government. 

As laid out in the act, the creation of these standards is the responsibility of the President, the Director of the Office of Management and Budget, the Secretary of Homeland Security, and the head of each agency, in collaboration with the National Institute of Standards and Technology (NIST). While these standards are still to be determined, it’s important to first understand why the IoT is so vulnerable to cyberattacks before we can begin to tackle how to prevent them.

Connected devices are inherently vulnerable to attack

Part of the vulnerability of IoT devices is their connected nature. If one device is corrupted, it may give attackers access to the network it's connected to, in turn giving attackers access to all the other devices connected to that network. 

 

One of the most infamous cyberattacks, a malware known as the Mirai botnet, took advantage of insecure IoT devices in 2016. The malware was able to access the network via vulnerable connected devices like home routers and security cameras by scanning the network for open Telnet ports and then logging in through commonly-used default passwords. Once the attackers were able to enslave up to 100,000 devices, they were able to execute a DDoS attack against Dyn’s customers that took down websites like, Amazon, Etsy, GitHub, Shopify, Twitter, and the New York Times. 

The Mirai botnet is still active, with variants of the malware taking advantage of the COVID-19 pandemic and the stay-at-home orders that followed, targeting vulnerable devices on home networks.

Stay-at-home orders issued across the globe meant that millions of employees are now working from home. With work devices now connected to potentially insecure modems or WiFi routers, attackers have even more opportunities to attack. 

In one recent incident, a hacking group targeted the CFO of a financial firm. They were able to locate and take control of a smart speaker connected to the CFO’s home network, and then eavesdrop on his private conversations. 

It’s clear that the state of IoT security—or perhaps, more accurately—the lack thereof, needs to be addressed. Fortunately, with the passing of the Cybersecurity Improvement Act of 2020, these calls for cybersecurity regulations or standards are starting to be answered.

California State Law sets the precedent for IoT security regulations

In 2018, the state of California was one of the first to try to tackle the cybersecurity issue posed by IoT devices when it ratified a new law that would regulate the security of IoT devices. The law took effect on Jan 1, 2020, and required that (1) The preprogrammed password is unique to each device manufactured; or (2) The device contains a security feature that requires a use to generate a new means of authentication before access is granted to the device for the first time. 

The law intends to mitigate and prevent security vulnerabilities that fall into the category of Improper Authentication. However, this represents only a little over 2% of all known software vulnerabilities. It’s a start, however these stipulations are simply common sense and do nothing to protect devices against the vast majority of cyberattacks that plague our systems today. 

Addressing IoT cybersecurity at the federal level

So, is there anything else happening at the federal level? 

Following in the footsteps of the Secure 5G and Beyond Act, the Cybersecurity Improvement Act of 2020, requires a set of standards and guidelines for the security of 5G systems and infrastructure to be created and implemented at the federal level. These standards will be developed and published by the NIST no later than March 4, 2021, which means we’ll have to wait a little bit longer to see what those guidelines and regulations will be. However, at a minimum, they will adhere to the California state law that went into effect this year.

It’s important to note that, while the act is specific to IoT devices used by the federal government, it's a natural next step that any cybersecurity regulations will extend to consumer devices as well. Government employees are consumers as well, after all— they too are working remotely and have many consumer IoT devices on their home network.  

Referenced in the act is a report published by the NIST in January 2020, “Recommendations for IoT Device Manufacturers: Foundational Activities and Core Device Cybersecurity Capability Baseline.” This report addresses the fact that IoT devices are used, owned, and operated by governments, companies, and consumers alike, and are developed with an utter lack of sufficient cybersecurity standards to mitigate risks. 

It goes on to outline a set of six activities that device manufacturers can take to provide a better level of security in the devices they are manufacturing. These activities are focused on the impact that lack of security would have on the end customer, and how device manufacturers can mitigate that impact. The steps include identifying the target end customer, researching their needs and goals, identify how to address those needs and goals, plan for customer support, define communication approaches to the end customer about any security concerns, and finally what and when to communicate to the end customer when necessary. 

In addition to recommending the bare minimum level of security IoT devices require, like data protection and the ability to send and receive updates to patch any identified software vulnerabilities, this report issues guidelines for how and what to communicate to consumers when it comes to the cybersecurity issues the IoT devices may encounter.

Although the NIST guidelines are a far better start than the California cybersecurity law, they are still not enough—devices that adhere to only these regulations will be nowhere near secure enough.  

There are still countless methods savvy cybercriminals can use to attack IoT devices. Until device manufacturers develop with security in mind, devices are going to be vulnerable to cyberattack. This is especially true for devices used and owned by the federal government, which are vulnerable not only to attacks by private hacking groups, but could be the targets of government-backed cyber-espionage campaigns.

To secure IoT devices against the most common and severe cyberattacks, devices need to be immunized against exploitation of bugs in software. Bugs are the open windows that attackers use to get into a system and wreak havoc. Closing those windows on attackers is the only way to truly secure IoT devices—Dover’s CoreGuard® solution is designed to do just that.

Defense-in-depth is the best strategy for securing IoT devices

CoreGuard is the most important component of a defense-in-depth cybersecurity strategy. CoreGuard silicon IP provides bodyguard-like protection to the host processor, checking every instruction executed. This means that CoreGuard controls all communication between the host processor and the outside world. 

CoreGuard crosschecks every instruction against a set of micropolicies, which define the security, safety, and privacy rules of the SoC it’s protecting. If an instruction violates a micropolicy, it's stopped from executing before any damage can be done. CoreGuard micropolicies are designed to stop entire classes of attack—not just specific attacks. Because of this, CoreGuard can dynamically block malicious behaviors from both known and unknown sources, and can even defend against zero-day attacks that exploit software vulnerabilities unknown to the software maker or user. As a result, CoreGuard’s full suite of micropolicies can protect against 94.87% of all software vulnerabilities, thus truly immunizing IoT devices against the vast majority of cybersecurity threats. 

Download Now - The Cybersecurity Stack: How to Secure Embedded Systems with a Defense-in-Depth Approach

 

To learn more about how CoreGuard can protect the IoT, request a demo today.

 

Share This Post

More from Dover

PublishedFebruary 09, 2021

Edge computing is simply the processing of data closer to the data source—instead of relying on the cloud or a centralized data center to do the computing. Edge devices compute data locally and provide an efficient means of transmitting and...

Security CoreGuard Safety Defense-in-Depth IIoT