A growing number of state legislatures are concerned about the lack of security posed by Internet-of-Things (IoT) devices. California was the first to pass a law mandating better IoT security in 2018 and Oregon has followed suit this year while Illinois, Kentucky, Massachusetts, Maryland, New York, Rhode Island, Vermont and Virginia are considering similar legislation.
These laws are a positive first step in improving IoT security but the California and Oregon laws, which go into effect January 2020, have been criticized for being so broad and vague as to be largely ineffective, at least initially. The California law, in particular, covers any device that has either an Internet Protocol (IP) or Bluetooth address, which means everything from sensors on a factory floor to your Bluetooth headset. It requires “reasonable security features,” but does not say what’s reasonable within the definition of the law, which leaves much to interpretation. For example, while consumers might think requiring a password to connect to the Internet is a sufficient security measure, info sec professionals understand that IoT devices often include other, more complex interfaces that can access sensitive data if left ungated.
Though they may come across as ambiguous, these laws are likely intentionally broad to account for the fact that the ecosystem for IoT devices is still emerging. And, while IoT manufacturers are unlikely to rush to comply, particularly since there are no specified penalties, the hope is that the laws will prompt them to more carefully consider security. These regulations also serve to remind businesses that many of these seemingly benign devices are not actually secure. Organizations should take note, as most companies have plenty of these devices on their networks and they should identify exactly where they are and what risks they might pose.
If your organization uses IoT devices, here are some tips to help mitigate security concerns:
- Inventory your assets to make sure you know what IoT devices are on your network, and where they reside. Take a close look at all connected devices, including security cameras, badge-reading systems, WiFi routers and Bluetooth headsets.
- Assign someone from your IT staff the responsibility of securing these devices.
- Assess your risks and approach these devices like a hacker. If you broke in through this device, where in your network could you go? What bad things could you do?
- Segment IoT devices so they cannot connect to the most critical parts of your network. Although this goes against the whole appeal of these devices, i.e. that they connect to everything, you need to ensure they can’t spread malware that would harm your business. The balance will ultimately come down to how you deploy each device and your level of risk tolerance.
- Identify whether the device can be updated and patched. If so, who does the updating, when and how?
For IoT device manufacturers, we recommend the following:
- Consult with info sec experts to evaluate the security of your product. They can help ensure you’re designing devices that include security from the ground up.
- Consult your attorney. Have your attorney read the laws and make sure you’re following their provisions.
For more on improving your organization’s security posture overall and how we can help, visit www.btbsecurity.com.