[ad_1]
A new bill establishing federal guidelines for the security of IoT devices as well as rules for the coordinated disclosure of vulnerabilities of these devices was presented to the House of Representatives and the Senate, paving the way for what would be the first to these standards for federal agencies and vendors selling equipment to them.
The bill contains a number of separate provisions, but the one that is likely to have the greatest impact on the security of IoT is the establishment of a set of standards for the security of connected devices, standards that will be developed by the National Institute of Standardization and Technology. . The draft legislation does not provide much detail about the nature of these security standards, but provides for four distinct areas: secure development, identity management, patches, and configuration management. According to the wording of the bill, vendors who sell IoT devices to federal agencies will have to comply with NIST standards in these areas.
The bill, known as the Cybersecurity Improvement Act of the Internet of Things, would also require the NIST director to develop "recommendations for the federal government on the appropriate use and management by the federal government of the Internet of Things devices owned or controlled by the federal government, including the minimum information security requirements for the management of the risks of cybersecurity badociated with these devices. "
The low security of many IoT devices has been a concern for many years in the security world and among lawmakers, but there has been no real improvement. Most of the problems experienced by early generations of IoT devices are still present in the most recent versions, including hard-coded authentication information by default, insufficient software security practices, the lack of encryption. lack of updating mechanisms and many others. House and Senate bills attempt to address some of these issues through the proposed requirements for secure software development and patch practices, but the specific wording of NIST guidelines will be essential in determining whether standards have any effect.
Last year, the UK released a set of guidelines on secure development practices for IoT device manufacturers, which takes up many of the principles outlined in the IoT bills introduced this week . IoT device manufacturers have been slow to respond to the demands of researchers, consumers and legislators to improve the safety of their products for a number of reasons, mainly because there is little economic incentive to do it. Connected light bulbs, running shoes, beds and bells are selling very well as is.
Everything from our national security to the personal information of US citizens, could be vulnerable because of security breaches in these devices. "
But the best incentive the government has to move things in the right direction is its unparalleled buying power. If these bills come into force, the guidelines developed by NIST could become standards used in acquisition programs and nothing would serve more to clean up a security mess than money.
"As the government continues to buy and use more and more devices connected to the Internet, we must ensure that these devices are secure. Everything from our national security to the personal information of US citizens, could be vulnerable because of security breaches in these devices, "said Representative Robin Kelly (D-Ill.), One of the authors of the draft House law.
The second part of the bill concerns the establishment of a coordinated vulnerability disclosure policy for federal agencies using IoT devices. The policy is supposed to be aligned with ISO 29147 and ISO 30111, two international standards dealing with disclosure of vulnerabilities. The version of the Senate bill requires that the NIST Director "in consultation with cyber security researchers and private sector experts that the Director deems appropriate, issue directives on policies and procedures relating to reports, to the – (1) a security breach related to a covered device used by the federal government; and (2) the resolution of this security vulnerability. "
The disclosure of vulnerabilities in the IoT market followed the same general path as in the early days of desktop software and Web applications. Some providers have responded to reports of vulnerability with hostility or legal threats, others have ignored them and some have collaborated with researchers to address the issues. Responses have been widespread, with no consistent guidelines to be followed by researchers and providers. The Capitol Hill bills would now solve much of this problem. They would also require federal agencies to adhere to a set of guidelines for reporting, coordinating, publishing, and receiving information from researchers about vulnerabilities in IoT devices.
The Senate bill is sponsored by Senator Mark Warner (D-Va.) And several others, and the House bill is sponsored by Kelly and Rep. Will Hurd (R-Texas).
Source link
