The Internet of Things Cybersecurity Act of 2017 (IoTCA) attempts to avoid repeating history. We all know that the internet is rooted in one “A” (Availability) but not in another very important “A” (Authentication).
The proposed IoTCA bill gives the problem of trustworthy authentication a good deal of attention, since solving the authentication problem (people-to-machines, software-to-hardware, data-to-processes, etc.) would be, from an internet security perspective, almost analogous to achieving world peace.
As billions of IoT devices become part of our businesses and homes, their value will be limited by the degree to which we can trust their authenticity – that they are what/who they claim to be. Though the IoTCA is not a silver bullet, it attempts to help reduce the level of obvious risks in a ballooning population of internet-connected devices.
I’m concerned, though, about its attempt to legislate vulnerabilities because technology evolves so quickly. While the government should use its power of the purse – its contracting and procurement processes – to move the ball forward, it’s probably not practical to assert written “verification” or “certification” that an IoT product is vulnerability- or defect-free.
On the other hand, the proposed legislation’s liability protection for those who are forthcoming about vulnerabilities is a breath of fresh air, especially compared to some of the critical infrastructure sectors that, for fear of regulatory fines, sometimes limit vulnerability sharing.
Additionally, the IoTCA proposal to require “industry standard protocols,” however well intentioned, may have unintended consequences because of its potential impact on innovation.
There is one aspect of the bill, though, that reflected its authors’ sophisticated understanding of security strategy: its notation about the important role of “segmentation.” When it comes to cybersecurity strategy, segmentation is still king.
Segmentation (limiting access based on need-to-know to those with authenticated credentials):
- Helps prevent breaches;’
- Limits the potential scope of already-occurred compromises, and;
- Enables innovation by allowing experimentation and the adoption of promising technologies that might still be on the path toward optimal security.
The bill rightly encourages adoption of segmentation strategies and architectures to intelligently allow IoT devices to be incorporated into the network while limiting their potential negative impact. The bill’s “inventory of devices” requirement would also help create an excellent starting point for companies or businesses to reference when selecting and operating IoT devices, since visibility into devices actively connected to the network continues to be a challenge for most organizations. Proper segmentation and monitoring would not only separate classes of devices and data but would also allow administrators to pinpoint and isolate misbehaving devices, and then check them against an inventory so that remediation can be extended to all related devices – not just the one that had been compromised.
Segmentation is part of a fundamental “intentional design” strategy where vulnerabilities and potential attack vectors are identified and architected out of the network during the network architecture design phase, rather than relying exclusively on security technology.
Going further, researchers are experimenting with a strategy called “Earned Trust,” where IoT devices would be allowed access based on their stated trust levels but whose network behaviors would be automatically monitored to see if, indeed, they are performing as advertised. The network could then automatically adjust their level of access based on their behaviors. We could then also raise the level of monitoring or access for similar devices while we determine if the observed aberrant behavior was an anomaly or endemic to an entire class of devices.
In the meantime, the expansion of IoT across its many classes (consumer, commercial and industrial) means that the majority of data is no longer contained inside traditional networks. Which means that securing only a few points within the network will no longer be good enough. That is why it’s critical that enterprises implement security solutions designed to complement and adapt to their network. These security technologies need to be able to identify, understand and protect infrastructures from the massive attack surfaces and new attack vectors created by IoT across the distributed and increasingly elastic network environment.
The adoption and integration of IoT is going to require taking a fresh look at both existing security solutions and strategies. Network security will not only need to actively prevent intrusions; it will also need to minimize the risk of serious breaches by reducing the time taken to detect and respond to new threats. Security solutions will need to collect and share intelligence, correlate indications of compromise and automatically coordinate a response to a threat or breach. Achieving this will require a broad, powerful and automated approach to security that many agencies and organizations do not yet have in place.
I’d like to see a little more consultation with industry as this bill progresses. While it gets an “A” for effort in incentivizing authentication, it still needs an “E” for enabling the adoption of an Earned Trust strategy.