Proposed IoT Security Bill Doesn’t Go Far Enough
By: Delia J. Smith
Earlier this month, four U.S. senators introduced the Internet of Things (IoT) Cybersecurity Improvement Act of 2017. This piece of legislation seeks to establish minimum cybersecurity standards for federally procured Internet of Things devices. It defines a device as a physical object that can connect to – and regularly connects with – the Internet and “has computer processing capabilities that can collect, send or receive data.”
In a nutshell, the act would require vendors to certify that IoT devices they are selling to the U.S. government:
- have no known vulnerabilities;
- can be properly authenticated and updated in a trustworthy fashion;
- use current industry standards for communications, encryption, and interconnections;
- eliminate fixed passwords.
The act is a noble effort and may well pass. However, it won’t adequately protect our nation’s IoT devices because, all too often, a device has a software weakness unknown to the vendor. It’s called a zero-day vulnerability. Hackers patiently and deliberately search for these holes because, once one is found, it can be exploited to access user information or infiltrate malware and spyware. Only after the user discovers the breach – which can take months if not years – can developers hurriedly develop a “patch” to repair the software’s weak point.
To understand the severity of zero-day vulnerabilities, consider these statistics:
- A staggering 3,986 zero-day vulnerabilities were discovered in 2016.
- Nearly 30% of all malware attacks exploit zero-day vulnerabilities.
- Underlying IoT toolkits such as gSOAP have their own zero-day vulnerabilities, putting millions of IoT devices at risk.
- Malware signatures are changing so rapidly, it’s impossible for intrusion-detection systems and antivirus software to recognize them.
Here’s another drawback to the bill. As detailed in this article and this article and this report, quite often hacks are not the fault of the device. Human error, stolen credentials and poor patch management can also be the cause. In fact, the largest hack in U.S. government history – the Office of Personnel Management breach – was initiated when a hacker stole the credentials of a government contractor.
And, as a February 2017 report by the U.S. Government Accountability Office found, federal agencies “consistently fail to apply critical security patches on their systems in a timely manner, sometimes doing so years after the patch becomes available.”
At Dispersive, we create software networks that feature highly advanced techniques that can help secure IoT devices from unauthorized access. It’s technology that can change the way you use the Internet.
We welcome the chance to talk with you – or anyone in Congress who may be interested – about all this. To get the conversation started, just email us at email@example.com or call us at 1-844-403-5852.
Last weekend a number of people and businesses experienced widescale service disruption, network slowdowns, and other issues as a leading carrier grappled with significant challenges with their network.
The increasing impact of the growth of renewable energy on transmission and distribution power networks is driving disruption and the need for main grid and microgrid operators to transform their systems to enable more adaptive power flow control for the important balancing of generation and load.
Dispersive announced last week it has developed a combined offering with ClearBlade, a pioneer and fast-growing Industrial IoT software and platform company delivering sophisticated connected systems for large enterprises. We’ve been working together in our labs and behind the scenes to bundle ClearBlade’s award-winning and widely deployed IIoT solutions (which support edge, cloud and enterprise systems, big data collection, analytics and real time control systems), to make it easier for customers to benefit from zero-touch commissioning, management, and zero-trust networking.