The U.S. House of Representatives recently passed legislation requiring IoT devices to meet minimum standards for cybersecurity. If the legislation passes a vote in the Senate and receives presidential approval, IoT device manufacturers must start to prioritize cybersecurity or face significant financial and strategic implications.
The IoT Cybersecurity Improvement Act has bipartisan backing, along with the endorsement of tech companies like CloudFlare, Mozilla, and BSA. Given the widespread support, the bill looks likely to pass the Senate.
After becoming law, the bill would require the National Institute of Standards and Technology (NIST) to create guidelines for IoT security, addressing key issues like secure development, identity management, patching, and configuration management for IoT devices. Any devices acquired by the federal government would have to meet those minimum standards or be disqualified from consideration.
NIST will also work with researchers and the Department of Homeland Security (DHS) to develop policies for disclosing vulnerabilities found in connected devices in a transparent and timely manner. Once complete, all vendors and contractors working for the federal government must follow those policies.
This is a major development. In the absence of clear standards, IoT security has lagged even as connected devices have proliferated. Experts have been sounding the alarm for years, and now Congress is acting with a sense of urgency. For IoT device manufacturers, this legislation has sweeping implications and requires immediate action.
The federal government has already invested tens of billions of dollars purchasing IoT devices. Those investments will likely pale in comparison to future investments as connectivity becomes a larger priority across government functions. Since the federal government is perhaps the largest single customer for IoT devices, manufacturers who make these devices must have access to federal contracts. That means they must develop devices that meet the minimum security standards called for by the IoT Cybersecurity Improvement Act.
Manufacturers will need to conform to those standards regardless of whether they’re courting federal contracts or targeting industry clients exclusively. Historically, NIST standards have become the best practice or baseline for security in other sectors. IoT security isn’t a concern limited to the federal government, and private sector clients are likely to use the NIST standards to guide future purchasing decisions – showing a preference for devices with quantifiable levels of security.
Failing to follow the NIST guidelines in whatever form they take could make it impossible to attract customers (in any sector) who insist upon IoT security. The success or failure of a connected device now depends on the ability of developers to prioritize security throughout the entire product lifecycle.
Trying to retroactively improve the security of devices already in production isn’t feasible in most cases. And even for devices currently in development, making security a priority doesn’t happen quickly or cheaply. It’s possible that as security and compliance move to the forefront, devices may need to be updated or even redesigned to adhere to the new guidelines.
Until NIST releases the guidelines, it’s difficult to say exactly what security features and standards IoT devices will need. What is certain, though, is that developers require visibility into the security posture of their devices beginning in the earliest stages of development, carrying through deployment, and continuing for as long as a device remains in service.
It won’t be enough to design devices with a specific security posture and stop there. Connected devices become vulnerable over time as the threat landscape evolves and products age. To meet the mandates of the new legislation and satisfy the demands of customers, closing the loop on IoT security requires monitoring and management of in-field connected devices after they leave the factory floor.
For most companies engineering IoT devices, this represents a major shift to their business model. Beyond just strengthening security, they will need to become service providers who increasingly accept liability for security failures.
Making such drastic changes won’t be easy for any manufacturer, but they will be necessary as IoT security becomes an absolute requirement for anyone buying connected devices. Nothing will be the same for device manufacturers in the wake of the IoT Cybersecurity Improvement Act. The time to start preparing is now – ideally with a platform that provides end-to-end security monitoring for every device in service.