CDAIT IoT Sensor 09.22.2021

Posted September 22, 2021

Angelina Kim, The Center for the Development and Application of the Internet of Things (CDAIT)

Cybersecurity Dimensions of IoT

Encompassing a wide variety of applications from Industrial Internet of things (IIoT) to smart electricity grid, to telemedicine, telehealth, and smart homes, the Internet of Things (IoT) has penetrated and transformed many industries and fields. Yet, as the Internet of Things grows and expands, a key challenge confronts the IoT industry, its developers, and its users: cybersecurity.

IoT device cybersecurity remains a potential barrier to widespread deployment. Many of these devices are smaller with less storage and processing ability, leaving these devices less equipped with robust cybersecurity measures. These devices also usually are interoperable, increasing the security risk. At the same time, these devices may collect private or sensitive data or provide essential uses. This is especially true with the Internet of Medical Things (IoMT) where private medical data is collected, shared, and monitored. Cybersecurity vulnerability leaves this data to potential exposure and attacks like denial of service, malware, wiretapping, and ransomware. A 2019 survey reported 82% of healthcare organizations have experienced an IoT-focused cyberattack, which unfortunately has not significantly improved subsequently.

What are the Industry Perceptions?

A survey by TripWire and Dimensional Research from March 2021 asked 312 security professionals who work with IoT and IIoT. 99% reported facing challenges with securing their connected devices, and 88% felt that they do not have enough resources to confront those challenges. Furthermore, around 66% said they had experienced difficulties trying to discover and remediate vulnerabilities. When the survey turned to the industrial supply chain, 97% said they had concerns about securing the supply chain, and 87% reported specifically being concerned about the vulnerabilities and risk introduced by IoT and IIoT.

Although a relatively older survey (from 2019), the Irdeto Global Connected Industries Cybersecurity Survey of over 700 companies from five countries (China, Germany, Japan, UK, and US) revealed that over 82% percent of companies that manufacturer IoT devices were concerned that their devices are not secure enough to fend off a cyberattack. Over 90% believed that their devices could be improved to some extent.

What Has Been Done in the Policy Sphere?

In the past few years, we have seen an increase in cybersecurity measures and policy in IoT at both the federal and state level. At the federal level, the Internet of Things Cybersecurity Improvement Act was passed in December of 2020. The new law directs the National Institute of Standards and Technology (NIST) to create guidelines addressing the cybersecurity risks of IoT technology which are to be updated every five years, although NIST had already been involved in IoT cybersecurity for a number of years. The law also directs the Office of Management of Budget and the Department of Homeland Security to create policies that align with NIST guidelines. By Dec 2022, any government agency cannot renew or create new contracts with any companies that do not meet NIST guidelines. NIST released guidelines shortly after the bill became law, and ensuing actions from NIST can be followed at their page for their Cybersecurity for IoT program.

Most recently, as of May 2021, the White House released an executive order that reaffirmed the federal government mission to “identify, deter, protect against, detect, and respond to... sophisticated and malicious cyber campaigns that threaten the public sector.” The order also encouraged collaboration with the private sector, highlighting the importance of “adap[ting] to continuously changing threat environments, ensur[ing] its products are built and operated securely, and partner[ing] with the Federal Government to foster a more secure cyberspace.”

California and Oregon led the way with their IoT security laws that both went into effect on January 1st of 2020. The laws require manufacturers of connected devices (devices or other objects that are able to connect to the internet) to implement “reasonable security features” to protect data privacy and information. California’s law is broader in that it applies to all IoT devices whereas Oregon’s only applies to consumer IoT devices. A policy issue that arose from these laws is that the level of “reasonable security” measures is unclear beyond the limited guidance of the laws. California’s and Oregon’s actions pushed other states like Illinois, Kentucky and Virginia to consider similar legislation.

For further reading:

Cybersecurity Threats: The Daunting Challenges of Securing the Internet of Things https://www.forbes.com/sites/chuckbrooks/2021/02/07/cybersecurity-threats-the-daunting-challenge-of-securing-the-internet-of-things/

California Passes Nation’s First Cybersecurity Law Addressing Internet of Things https://www.security.org/blog/california-passes-first-cybersecurity-law-iot/

IoT manufacturers - What You Need to Know About California’s IoT Law https://www.natlawreview.com/article/iot-manufacturers-what-you-need-to-know-about-california-s-iot-law

California and Oregon’s IoT Cybersecurity Law: The 7 Key Points Explained https://bgnet.works/california-and-oregons-iot-cybersecurity-law-the-7-key-points-explained/

New IoT Cybersecurity Improvement Act: Creating a Floor For IoT Security?https://www.iotworldtoday.com/2021/02/02/new-iot-cybersecurity-improvement-act-creating-a-floor-for-iot-security/

Understanding the Internet of Things Cybersecurity Improvement Act https://www.securityinfowatch.com/cybersecurity/article/21159985/understanding-the-internet-of-things-iot-cybersecurity-improvement-act

IoT Update: Congress Passes IoT Cybersecurity Improvement Act of 2020 https://www.insideprivacy.com/internet-of-things/iot-update-congress-passes-iot-cybersecurity-improvement-act-of-2020/

82% of healthcare organization have experienced an IoT focused cyberattack, survey finds https://www.fiercehealthcare.com/tech/82-healthcare-organizations-have-experienced-iot-focused-cyber-attack-survey-finds

Cyberrisk in an Internet of Things World https://www2.deloitte.com/us/en/pages/technology-media-and-telecommunications/articles/cyber-risk-in-an-internet-of-things-world-emerging-trends.html

Iot and IIoT Security Survey https://www.tripwire.com/misc/iot-and-iiot-cybersecurity-report

Executive Order on Improving the Nation’s Cybersecurity https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/