Summary

A new security bill is awaiting signature by President Trump. It directs the National Institute of Standards and Technology (NIST) to create minimum cybersecurity standards for IoT devices owned or controlled by the U.S. government. The standards will include use and management of IoT devices, as well as coordinated disclosure of vulnerabilities.

Let’s take a look at how the security bill will benefit organizations that use IoT devices.

 

Bringing (some) order to IoT device security chaos

The lack of security standards has been an issue since IoT devices became popular a decade ago, with their widespread usage outpacing the industry’s ability to agree on how to protect them.

The failure to agree hasn’t been for lack of trying. For the last few years, several industry and government groups created standards to improve interoperability and security of IoT devices, including:

In spite of these groups’ efforts, there hasn’t been sufficient incentive for the industry to align around a single set of standards. The result has been a patchwork of guidelines that address only some aspects of IoT device security.

For example, the European Union Agency for Cybersecurity (ENISA) performed a gap analysis on the existing standards related to IoT security and found that “…it is possible to deliver a device to the market that can authenticate its user, that can encrypt data it transmits, that can decrypt data it receives, that can deliver or verify the proof of integrity, but which will still be insecure.”

The current lack of standards on IoT vulnerability reporting and handling means that vendors aren’t under any obligation to disclose or remediate vulnerabilities, leaving millions of vulnerable devices at risk of…