Connected Device Security: New Mandates, Same Mayhem

On May 12th, 2021, the White House issued Executive Order 14028, titled “Improving the Nation’s Cybersecurity.”

The executive order (EO) lays out a set of security guidelines and practices for the federal government and software vendors to follow, requiring vendors to share relevant information on cyber incidents and threats, along with encouraging the adoption of Zero Trust Architecture and multi-factor authentication by organizations using cloud technologies.

The EO is a long one, and, to the IoT community and Industry 4.0 evangelists, one section should stand out and deserves a great deal of highlighting: Section 4, titled “Enhancing Software Supply Chain Security.” The section points out what could become groundbreaking new federal regulations regarding third-party software component risk, provenance, and IoT device security in the United States.

Product security and IoT people, are your ears perking up? They should be.

IoT Devices and Software: Vulnerable Doesn’t Tell the Half of It

But first, why focus on IoT security and software provenance?

As of 2021, according to a report by cybersecurity company Venafi, only 24% of IoT devices used encryption when transmitting data. 

And a study issued this year by security certification agency PSA Certified highlighted how the total cost of cybercrime is estimated to reach $10.5 trillion by 2025. Nearly a quarter of respondents were victims of hacks due to vulnerabilities in third-party products or services, with one-fifth of those respondents selling connected products used as a hacking vector or weak link.  

But there’s more. The issue could have huge consequences for American national security: look no further than the Cybersecurity & Infrastructure Security Agency (CISA)’s insistent alerts about ongoing malicious cyber activity perpetrated by foreign actors. To make a long story short, the NSA, CISA, and the FBI, since 2020, have consistently observed state-sponsored foreign cyber actors accessing compromised servers and routers in the United States.

IoT and vendor security is no joke, and as connected cities, smart factories, and home automation systems become more widespread, it was only a matter of time before the federal government decided to issue guidance here.

Securing the Software Supply Chain

Probably one of the core points established early on in Section 4 of the EO is made when it orders the National Institute of Standards and Technology (NIST) to release guidelines for “enhancing software supply chain security.”

NIST eventually published those security guidelines, which include the use of multi-factor authentication, network segmentation, least privilege, protections for data at rest and in transit, software inventories, continuous monitoring, and endpoint security protection.

The government is sounding off an alarm here: and it’s no drill. All OEMs and software developers in the IoT space, where component provenance is especially important to consider for cybersecurity, should be paying close attention and shifting left.

And if software vendors don’t comply with NIST’s security guidelines, they might be restricted from doing business with the federal government: the EO’s language mentions that the Federal Acquisition Regulation (FAR), the primary regulation for government agencies to follow when contracting with vendors, might be changed to adopt NIST’s stricter recommendations. In other words, executive agencies may soon have more rigorous security hurdles for software providers to jump over to keep their government contracts.

An IoT Product Label? You Heard That Right.

Another critical part of Section 4 of the EO is where it tasks NIST with creating guidelines and criteria for an IoT consumer labeling program.

Specifically, the EO tells NIST to think up some key provisions to include in what might become a legally mandated IoT product label, added to connected products ranging from baby monitors to digital thermostats to smart fridges.

In its criteria, NIST recommends that an IoT product be sold with an up-to-date inventory of its components. The agency then suggests that customers be able to change an IoT product’s configuration settings via one or more components of the product, and that every IoT product should protect data (both stored and transmitted) from various forms of unauthorized access. Importantly, NIST adds that IoT products should ensure that data sent to other components matches certain standards for format and content, preventing unauthorized transmissions.

These are only a few of NIST’s suggestions, and soon enough IoT product developers may be required to show their compliance with these suggestions in the form of a mandatory product label.

The Bottom Line

The federal government’s guidance here on provenance and IoT security (which may soon become legally binding for software and IoT product vendors working with the government) represents a new culture of security emerging in our digitized 21st century.

Now is a time when the assets most critical to a functioning economy have been made the most vulnerable by IoT technologies, which can give a hacker control over everything ranging from our water supply to our industrial equipment to our power grid.

So, whether you’re remediating third-party vulnerabilities or overhauling your team’s IoT security program, now is the right time to be preventive, proactive, and proficient in securing your IoT-based products.