IoT Cybersecurity Improvement Act

Since August of 2017 the U.S. Congress has been working on a new internet of things security bill designated S.1691, Internet of Things (IoT) Cybersecurity Improvement Act. The U.S. government is not known for being timely, so if they recommend security measures on connected devices, it is long past time for every organization to take action. Unfortunately, this new law does not cover consumer or even enterprise-grade connected devices, so the law doesn’t protect consumers or corporations.

About the IoT Cybersecurity Improvement Act

The new IoT Cybersecurity Improvement Act does require all connected devices purchased for use in a government agency or by a federal contractor to meet minimum security requirements. This law is great news for the security of government and critical infrastructure verticals. For everything else, it leaves a lot to be desired. At best, we will see a ripple effect in the enterprise world that may force the industry to adopt these updated security standards. This bill was introduced and eventually passed as a reaction to increasingly vulnerable connected systems that are used more every day in every type of organization. Highlights of the IoT Cybersecurity Improvement Act include:

- Requires the National Institute of Standards and Technology (NIST) to publish standards and guidelines on the use and management of IoT devices by the federal government, including minimum information security requirements for managing cybersecurity risks associated with IoT devices.
- Directs the Office of Management and Budget (OMB) to review federal government information security policies and make any necessary changes to ensure they are consistent with NIST’s recommendations.
- Requires NIST and OMB to update IoT security standards, guidelines, and policies at least once every five years.
- Prohibits the procurement or use by federal agencies of IoT devices that do not comply with these security requirements, subject to a waiver process for devices necessary for national security, needed for research, or that are secured using alternative and effective methods.
- Requires NIST to publish guidelines for reporting security vulnerabilities relating to federal agency information systems, including IoT devices.
- Directs OMB to develop and implement policies necessary to address security vulnerabilities relating to federal agency information systems, including IoT devices, consistent with NIST’s published guidelines.
- Requires contractors providing IoT devices to the U.S. government to adopt coordinated vulnerability disclosure policies, so that if a vulnerability is uncovered, that information is disseminated.

IoT Cybersecurity Improvement Act Leaves Room for Improvement for Enterprises

While technically legacy systems are exempt, the need to secure these connected devices is no less pressing. The truth is that the vast majority of IoT, ICS and other connected devices is that they are unlikely to be patched – ever. Many devices shipping today arrive vulnerable to severe flaws. So, while not perfect, the new IoT Cybersecurity Improvement Act is a great first step in actually improving IoT security at scale.

IoT Cybersecurity and Securolytics

Securolytics’s IoT Security Tools provide at least 5 key capabilities recommended by NIST regardless of the IoT and ICS systems’ age or patch-level, including:

Gain Visibility: Obtain and maintain an accurate and current inventory of all connected devices. Most asset inventory tools require either a SPAN or TAP connection and will intercept all traffic to identify new devices. Securolytics does NOT require any such connection. You simply plug the ethernet cable into any active ethernet port, and Securolytics will do the rest.

Understand behaviors: Know how all devices are behaving and what other parts of the network they are – or can – communicate with at all times. Securolytics combines a massive proprietary database of known device behavior and services with its proprietary machine learning algorithms to find new or previously unidentified systems. Additionally, Securolytics monitors and blocks malicious behavior by connected devices it is managing.

Centralize management: Identify and leverage a single dashboard that allows tracking and investigating at-risk devices. Securolytics has a user-accessible dashboard with real-time findings and data from the device. Additionally, admins can easily link this information into SIEM software.

Implement segmentation: Control — and limit — at-risk device connections through segmentation. Securolytics monitors all devices connected to the network and either recommends or implements logical segmentation on any devices that need to be separate from the primary network.

Establish continuous monitoring: Get timely notifications of new devices, offline devices, potential risks and threats. Securolytics is a continuous monitoring solution that helps manage previously unmanaged devices and provides timely and useful notifications.

As IoT security threats continue to increase, now is the time to make sure you’re managing all devices connected to your corporate networks. Securolytics can help — and you can request a FREE analysis of what’s on your network today with the Securolytics IoT-mini.

Do You Know Your IoT Risks?

Find Out in Minutes…FREE

As always, you can learn more about the Securolytics products (including the IoT Security Appliance).

John Nye

Technical Product Manager

Share This Blog