Congress introduces a new IoT security bill
With connected IoT devices set to outnumber the world's population in the near future, it's never been more important for tech-minded companies to take extra measures to protect their networks from authorized access and exploitation. Gartner predicts that a total of 20.4 billion IoT devices will be deployed by 2020, which has some lawmakers concerned about the current state of endpoint security. Members of the U.S. Senate and House of Representatives have been trying to take legislative action to compel manufacturers of IoT devices to establish minimum security requirements as far back as 2016, but so far their efforts have not produced any meaningful results. However, a new bill introduced in early March may finally push companies to adopt national standards for IoT security.
If passed, the Internet of Things Cybersecurity Improvement Act of 2019 would require all IoT-enabled devices used by the federal government to integrate a set of minimum security standards, CNET reported. While the bill would not expressly impact all connected device manufacturers, lawmakers hope that it will lead to significant changes within the IoT sector as a whole. The legislation would also incorporate recommendations from the National Institute of Standards and Technology as a means of developing a clear set of best practices for IoT security moving forward.
The increased threat of DDoS attacks
As the number of fully networked IoT devices has increased, companies in the U.S. have also experienced a shocking rise in denial-of-service attacks. According to TechRepublic, organizations suffered an average of 237 DDoS attempts per month during Q3 of 2017, which represents a 35 percent increase from the previous quarter. Cybercriminals often target devices that do not posses built-in security measures, along with those that utilize default passwords or contain firmware vulnerabilities. These attacks can pose significant risks to national security and also have the potential to negatively impact large industrial players. For example, cybercriminals can use malicious code to exploit vulnerabilities in IoT devices as a means of carrying out large-scale DDoS ransom operations.
In 2017, researchers at NetLab 360 identified a massive botnet (the disturbingly named "IoT_reaper") that had hijacked around 28,000 devices. The goal was to exploit the collective bandwidth of the infected hardware network - which included everything from internet-connected webcams to digital video recorders - to take down popular websites in a complex extortion scheme. While these types of attacks are nothing new, the ways in which the botnet aggressively infiltrated the targeted devices demonstrated inherent flaws in modern computer systems.
How standardized security measures can help
Congress's new IoT legislation contains a host of guidelines for vendors of connected devices, many of which focus on fostering greater transparency and accountability. While it will likely take years before device manufacturers adopt general best practices for all of their products, the bill may hasten the development of universal IoT security measures. Some of the more specific guidelines include:
- All distributed IoT appliances must be patchable.
- Devices cannot contain any known vulnerabilities or hard-coded passwords.
- Manufacturers must disclose any and all security risks that are discovered post-sale.
- Vendors must disclose which network protocols are in use.
- NIST recommendations for security development, identity protections and configuration management must be met.
As it stands, IoT hardware manufacturers are free to design "smart" devices with as much or as little security as they see fit. This disparity not only causes compatibility issues for organizations looking for comprehensive security solutions, but it also leaves unwitting purchasers open to data exploitation, malware and ransomware attacks and large-scale DDoS takeovers. Creating a set of standardized security requirements could help government agencies, corporations and consumers stay up to date with the latest vulnerabilities, allowing them to take decisive action as quickly as possible.
Perle offers industry-grade networking tools that can support mission-critical operations and maintain system sustainability. Read some of our customer stories to learn how we've helped other companies improve their infrastructure and stay secure when it mattered most.