The IoT Cybersecurity Improvement Act of 2020 — Your Questions, Answered
The Internet of Things (IoT) Cybersecurity Improvement act was signed into law in the U.S. in 2020. The act strengthens security for IoT devices by introducing minimum security requirements for devices purchased, owned, managed, or controlled by the federal government. We’ll break down the act, explain why it’s important, and answer your questions.
What Is the Purpose and Intent of the IoT Cybersecurity Improvement Act?
The Act itself states that its purpose is to: “Establish minimum security standards for Internet of Things devices owned or controlled by the Federal Government, and for other purposes.” Broadly, the intent of the act is to increase security standards and reduce vulnerabilities for IoT devices, which are increasingly becoming the targets of hacking attempts and other cyber threats.
Are Internet of Things Devices Particularly Vulnerable to Hacking?
Yes. A lack of security standards, rushed development, inadequate testing, default settings, and other factors have combined to make IoT devices a weak point in the cybersecurity chain. Supply chain complexity, combined with a fragmented approach to security means these endpoints can be easy to identify and relatively simple to breach.
What Types of IoT Devices Does This Law Affect?
At present, the law only provides minimum security standards for IoT devices purchased or used by the federal government. It does not have any impact on consumer-purchased IoT devices, or on those purchased by state governments or other municipalities.
Will There Be an Impact on Other Types of IoT Devices?
Possibly. One of the downstream effects of the act might be that device manufacturers provide the same minimum security standards to all the IoT devices they produce, whether used by the federal government or not.
What Government Body Determines the IoT Security Standards for These Devices?
The National Institute for Standards and Technology (NIST) is publishing standards and guidelines on:
- The use and management of IoT devices by the federal government.
- The minimum security requirements for combatting cybersecurity risks in IoT devices.
They have currently published several sets of guidelines, as follows:
- NIST Special Publication 800-213: IoT Device Cybersecurity Guidance for the Federal Government: Establishing IoT Device Cybersecurity Requirements
- NISTIR 8259B: IoT Non-Technical Supporting Capability Core Baseline
- NISTIR 8259C: Creating a Profile Using the IoT Core Baseline and Non-Technical Baseline
- NISTIR 8259D: Profile Using the IoT Core Baseline and Non-Technical Baseline for the Federal Government
These guidelines affect federal agencies and IoT device manufacturers.
What Are the NIST Special Publication (SP) and NISTIR Guidelines?
Katerina Megas, the program manager for NIST’s Cybersecurity for IoT Program, says that, “The three NISTIRs offer a suggested starting point for manufacturers who are building IoT devices for the federal government market, while the SP provides guidance to federal agencies on what they should ask for when they acquire these devices.” Some key aspects to note:
- SP 800-213 provides overall guidance for federal agencies, extending NIST’s risk-based cybersecurity approach to include the integration of IoT devices into federal information systems and infrastructure
- NISTIR 8259 series provides guidance that IoT device manufacturers can use to help organizations implement SP 800-213’s guidance
How Can Public / Private Key Infrastructure Help With IoT Security?
PKI provides cryptographic keys that are used for authentication and data encryption between communicating parties or devices. PKI is more important for IoT devices as devices should be authenticating with each other before transmitting data. If properly designed, implemented, and managed, PKI can be a very powerful solution for securing IoT devices.
In particular, the benefits of PKI for IoT devices include:
- A unique, verifiable identity for each IoT device within the ecosystem
- Passwordless authentication between devices and systems
- Strong encryption for data in transit and at rest
- Scalable, proven technology that’s been used for decades to secure networks, devices and users
- Automation of certificate provisioning and renewal to support millions or billions of IoT devices
PKI is a vital foundation for federal agencies, IoT device manufacturers and others for implementing strong cybersecurity protections into various networks.
Mrugesh Chandarana is Product Management Director for Identity and Access Management Solutions at HID Global, where he focuses on IoT and PKI solutions. He has more than ten years of cybersecurity industry experience in areas such as risk management, threat and vulnerability management, application security and PKI. He has held product management positions at RiskSense, WhiteHat Security (acquired by NTT Security), and RiskVision (acquired by Resolver, Inc.).