The IoT Cybersecurity Improvement Act of 2020
To address the expanded threat landscape and to limit the exposure of federal agencies and services to the vulnerabilities of IoT devices, the U.S. government signed into law the IoT Cybersecurity Improvement Act of 2020. The Act mandates NIST to create cybersecurity standards for connected devices purchased and used by federal agencies.
According to the Act, NIST is to develop and publish “standards and guidelines on the appropriate use and management” of IoT devices “owned or controlled” by federal agencies which are connected to federal networks. These guidelines should also include “minimum security requirements for managing cybersecurity risks” inherent with these devices.
Additionally, the Act dictates that federal agencies refrain from “procuring or obtaining, renewing a contract to procure or obtain, or using an IoT device” if the device is not compliant with the guidelines issued by NIST.
In response to the IoT Cybersecurity Improvement Act, NIST released four new publications:
The objective of these four documents is to establish a common cybersecurity framework between the government and IoT device manufacturers for IoT devices procured and used by federal agencies.
What Are IoT Vulnerabilities?
The Open Web Application Security Project (OWASP), a non-profit foundation for improving software, has published the IoT Top 10 vulnerabilities, which is great resource for manufacturers and users alike.
- Weak, Guessable, or Hardcoded Passwords
“Use of easily brute forced, publicly available, or unchangeable credentials, including backdoors in firmware or client software that grants unauthorized access to deployed systems.”
Weak, default, and hardcoded passwords are the easiest way for attackers to compromise IoT devices and further launch large-scale botnets, and other malware. Managing passwords in a distributed IoT ecosystem is a time-consuming and difficult responsibility, especially since IoT devices are managed over-the-air.
- Insecure Network Services
“Unneeded or insecure network services running on the device itself, especially those exposed to the internet, that compromise the confidentiality, integrity/authenticity, or availability of information or allow unauthorized remote control.”
Adversaries are to seeking to exploit weaknesses in the communication protocol and services running on IoT devices to compromise and breach sensitive or confidential information exchanged between the device and a server. Man-in-the-Middle (MITM) attacks aim to exploit these vulnerabilities to capture credentials used to authenticate these endpoints and further leverage these credentials to launch greater scale malicious attacks. It is therefore imperative to secure the IoT communications with industry best practices.
- Insecure Ecosystem Interfaces
“Insecure web, backend API, cloud, or mobile interfaces in the ecosystem outside of the device that allows compromise of the device or its related components. Common issues include a lack of authentication/authorization, lacking or weak encryption, and a lack of input and output filtering.”
A strong authentication and authorization mechanism needs to be in place to mitigate insecure web, backend API, cloud, or mobile interfaces in the IoT ecosystem. Several solutions have been developed to safeguard the identity of IoT devices, which consider the constraint nature of these endpoints. With the use of effective device identity mechanism, whenever a server communicates with an IoT device, the server will be able to differentiate between a valid endpoint and a rogue one by forcing the endpoint to authenticate itself.
- Lack of Secure Update Mechanism
“Lack of ability to securely update the device. This includes lack of firmware validation on device, lack of secure delivery (un-encrypted in transit), lack of anti-rollback mechanisms, and lack of notifications of security changes due to updates.”
Unauthorized software and firmware updates are a major threat vector for launching attacks against IoT devices. A corrupted update can disrupt the operations of critical IoT devices and have physical consequences in sectors like the healthcare or energy. To secure the firmware and software updates, we need to secure the access to the updates and verify the source and the integrity of the updates.
- Use of Insecure or Outdated Components
“Use of deprecated or insecure software components/libraries that could allow the device to be compromised. This includes insecure customization of operating system platforms, and the use of third-party software or hardware components from a compromised supply chain.”
The security of IoT ecosystem may be compromised by vulnerabilities in software dependencies or legacy systems. The use of outdated or insecure software, including open-source components by manufacturers to build their IoT devices creates a complex supply chain that is difficult to track. These components might inherit vulnerabilities known to the attackers creating an expanded threat landscape waiting to be exploited.
- Insufficient Privacy Protection
“User’s personal information stored on the device or in the ecosystem that is used insecurely, improperly, or without permission.”
Many deployed IoT devices collect personal data that need to be securely stored and processed to maintain compliance with the various privacy regulations, such as GDPR or CCPA. This personal data might be anything from medical information to power consumption and driving behavior. Lack of appropriate controls will jeopardize users’ privacy and will have legal consequences.
- Insecure Data Transfer and Storage
“Lack of encryption or access control of sensitive data anywhere within the ecosystem, including at rest, in transit, or during processing.”
The protection of IoT data—either at rest or in transit—is of great importance to the reliability and integrity of IoT applications. This data is used in automated decision-making processes and controls that can have serious physical repercussions. It is critical that we effectively protect this data. The use of strong encryption throughout the IoT data lifecycle and adaptive identity and access control will help secure IoT data from compromise and breaches.
- Lack of Device Management
“Lack of security support on devices deployed in production, including asset management, update management, secure decommissioning, systems monitoring, and response capabilities.”
One of the most important tasks and one of the most significant security challenges in the IoT ecosystem is managing all devices throughout their lifecycle. If unauthorized devices are introduced in the IoT ecosystem, they will be able to gain access and surveil corporate networks and intercept traffic and information. The key concerns of IoT device management are the provisioning, operation and updating of devices. The discovery and identification of IoT devices is a necessary first step in the monitoring and protection of these devices.
- Insecure Default Settings
“Devices or systems shipped with insecure default settings or lack the ability to make the system more secure by restricting operators from modifying configurations.”
IoT devices are shipped with default, hardcoded settings that are easy insecure and easy to be breached by attackers. Once these settings are compromised, adversaries can either seek for hardcoded default passwords, hidden backdoors and vulnerabilities in the device firmware. At the same time, these settings are difficult for a user to change. Having a deep understanding of these settings and the security gaps they introduce is a first step to implementing the appropriate controls for hardening these devices.
- Lack of Physical Hardening
“Lack of physical hardening measures, allowing potential attackers to gain sensitive information that can help in a future remote attack or take local control of the device.”
IoT devices are deployed in dispersed and remote environments—not kept in any controlled environment, but exposed in the filed to perform their operations. An attacker may disrupt the services offered by IoT devices by gaining access and tampering the physical layer. Such actions could prevent, for example, sensors from detecting risks like fire, flood, and unexpected motion. We should ensure that the hardware is safe from tampering, physical access, manipulation, and sabotage.
Certificates as a Solution for Secure IoT devices
The well-established, PKI-managed digital certificates can help organizations address many of the aforementioned vulnerabilities.
The key to securing the proliferation of IoT devices is being able to identify them. Digital certificates are great for the provisioning of machine identities and for authenticating the distributed IoT ecosystem. Many IoT manufacturers and organizations are already leveraging the benefits of digital certificates for device identity, authentication, and encryption. However, issuing and managing the thousands of digital certificates across the entire corporate IoT ecosystem can be challenging if the solution for certificate management does not allow for automation and scalability.
A machine identity management solution will help organizations secure their IoT ecosystem by provisioning unique, strong identities, defining and enforcing security policies and standards, scaling security, and maintaining robust and effective security without jeopardizing the efficiency and operation of constrained IoT devices.
As IoT expands, no company can discount the tremendous security risks associated with having a multitude of possible infrastructure weaknesses. Digital PKI certificates with automated management will not resolve all security problems, but they are an important part of the equation that you need to assess and tailor to your organizational needs.