The US Government Finally Gets Serious About IoT Security

An anonymous reader quotes a report from IEEE Spectrum, written by Stacey Higginbotham: The IoT Cybersecurity Improvement Act of 2020 has given the nation an excellent framework that will influence IoT security across the world. So, what's to like about the law? Two things, as it turns out. First, the law isn't focused on securing individual devices by dictating password requirements or encryption standards, both of which will need to evolve. Instead, it relies on the National Institute of Standards and Technology (NIST) to set many of the requirements that government agencies have to follow when purchasing connected devices. These policies see overall security as the sum of several parts, requiring specific prescriptions for device, cloud, and communication security.

NIST's initial rules include today's best practices, such as having an over-the-air device update program, unique IDs for each device so it can be identified on a network, and a way for authorized users to change features related to access and security. The recommendations also include logging the actions taken by an IoT device or its related app, and clearly communicating the specifics of a device's security to the user. The other reason to like the law is that it remains adaptive and flexible by requiring NIST to assess the best practices for cybersecurity for connected devices every five years. Hacks, by their nature, are also adaptive and flexible, and so preventing them needs equally adaptable legislation. That means buying IoT devices that can receive over-the-air software updates, for example, to patch up any newly discovered exploits."Unfortunately, the law isn't airtight," writes Higginbotham. She worries that the waiver process for devices needed for national security or research could be abused. ..

Support the originator by clicking the read the rest link below.