Wikipedia describes the Internet of Things (IoT) as the network of physical devices, vehicles, home appliances, and other items embedded with electronics, software, sensors, actuators, and connectivity which enables these things to connect, collect and exchange data.0
The Gartner Group predicts 20 million “smart” devices in use by 2020, and this excludes PCs, tablets and smartphones. In their IoT Technology Discussions survey, IT Security was selected as the top barrier to IoT success. The exponential explosion of these devices “creates an attack surface that has never been seen before.” 1
Last Friday, California Governor Jerry Brown approved the nation’s first IoT Cybersecurity Law at the state level, which requires by January 1, 2020 that all “smart” device manufacturers design and deliver devices with “reasonable” security features appropriate to the nature and function of the device, and to any collected, stored or transmitted information. It also requires “reasonable” authentication, with a unique pre-programmed password, or a common password that must be changed at 1st boot. Security must be incorporated in the design phase to provide protection against unauthorized access, destruction, use, modification or disclosure. 2
There is concern about the ambiguous wording in California’s bill, like “reasonable security features” and “reasonable authentication”, which seems to encourage adding universal security features rather than reducing or removing specific vulnerabilities. Each device category has unique characteristics that require clear description of standards such that manufacturers know what is required and how their products will be evaluated for compliance. 3
Congress is evaluating multiple proposals relating to IoT that require manufacturers of any connected devices purchased by the federal government to supply 3rd-party verification that the devices are free from known vulnerabilities, can be patched, and have good authentication with a unique password per device, or where the user must change a common password at 1st turn on.
- Cybersecurity Improvement Act of 2017
- SMART IoT Act
- IoT Consumer Tips Act
- DIGIT Act
Overall, we believe the discussions taking place are vital for positive changes to occur, and as these bills are refined and become law we will all benefit.
Our team is available to discuss your IoT devices, your connection and security strategy, and to help you understand your unique situation.
Your Technology Partner,
The LeeShanok Team
0 Internet of Things (IoT) – Definition
1 IoT Technology Disruptions: A Gartner Trend Insight Report
2 California’s IoT Cybersecurity Law Sets Standards for Device Manufacturers
3 The Cybersecurity 202: California’s Internet of Things cybersecurity bill could lay groundwork for federal action