This blog was written by an independent guest blogger.
The IoT Cybersecurity Act, which aims to reduce the supply chain risk to the federal government arising from vulnerable IoT devices, was recently passed into law, and its effects are expected to carry over into private enterprise. Critics felt the law was long overdue: as found in the Nokia Threat Intelligence Report 2020, IoT devices are now responsible for 32.72% of all infections observed in mobile networks, representing an increase of 16.55% since 2019 alone. What threats can the rapid proliferation of IoT devices cause, and how is the new law dealing with them?
2020: A year of unprecedented cyber attacks
2020 has demonstrated the extent to which cyber criminals can quickly take advantage of major changes and crises taking place in the world. In a recent report, Fortinet warns that the introduction of edge devices will provide attackers with even more opportunity to wreak havoc via advanced threats. Over the past few years, traditional networks have been replaced with multiple-edge environments, IoT, WAN, remote center, and more. Fortinet adds that “while all of these edges are interconnected many organizations have sacrificed centralized visibility and unified control in favor of performance and digital transformation.” Cyber criminals will be harnessing the speed and scale that 5G will enable to target these environments at a more profound level.
Main threats to security posed by connectivity
Some of the biggest threats to cyber security include trojans seeking to target the edge, edge-enabled swarm attacks, smarter social engineering, and the possibility of ransoming OT edges. In the case of everyday users, the practical implications are endless. For instance, in the case of social engineering, attackers can use important contextual information about users’ daily routines and financial information to ransom, extort, and carry out stealth credential attacks, in addition to interfering with routines by turning off security systems and disabling cameras.
Rural communities could be vulnerable to new threats
Rural communities often have poor connectivity, with many having slow Internet connections. The Federal Communications Commission’s 2020 Broadband Development Report has found that around 18 million Americans, mainly in rural areas, do not have any access to broadband at all. As stated by the ARC Advisory Group, rural communities have the same cybersecurity challenges as large cities - including ransomware attacks. Many, however, do not have the same sophisticated response plans as big cities. Rural communities, which often rely on outsourced IT software providers, will need to ensure that these suppliers are competent both at the IT and the OT level, but also boost cyber awareness among rural dwellers who rely daily or regularly on the Internet.
New security standards set
The new IoT Cybersecurity Improvement Act of 2020 will see the National Institute of Standards and Technology (NIST) setting and sharing standards and guidelines on issues related to the development, management, configuring, and patching of IoT devices. The law will require that all IoT devices used within federal agencies comply with these standards. It will also develop procedures for reporting and disclosure of security vulnerabilities. The Office of Management and Budget, meanwhile, will “develop and oversee the implementation of policies, principles, standards, or guidelines as may be necessary to address security vulnerabilities of information systems (including Internet of Things devices).”
The IoT Cybersecurity Improvement Act of 2020 is a response to the growing number of cyber-attacks on connected devices. Although the legislation covers devices paid for with government money, its stipulations are expected to affect private devices as well. This is good news considering the increasing popularity of connected devices and the growing sophistication of intelligent attacks.