A new bill has been submitted in the Senate to address security in IoT devices. It was submitted Wednesday August 2nd by Senators Warner, Gardner, Wyden, and Daines. The Bill is named the Internet of Things Cybersecurity Improvement Act of 2017.
The Bill requires IoT devices in government networks to have no fixed passwords, no known security vulnerabilities, and timely security patches when a vulnerability is discovered. It also protects security researchers from negligence charges. Dropping fixed passwords and avoiding known vulnerabilities is a given, and we hope that all companies in our industry are already doing this (we are). The timely security patches is more demanding. This requires ongoing monitoring of new vulnerabilities and the capability for OTA updates. Again, building in the capability for OTA updates is a surefire way to ensure your product is future proof and we hope that all companies are already doing this (we are). Monitoring for new vulnerabilities and promptly patching those is an extra service we offer, but it’s an ongoing fixed cost that business owners have to consider.
We’re pleased to see the issues with device level security on connected products addressed by our Congress and especially by our local Senator Cory Gardner. Security standards are needed in this industry. Unfortunately, this bill only addresses security standards for IoT devices that are installed in government networks. This won’t affect the majority of our projects, but we already follow most of the Bill’s guidelines on all finished products we develop. We’d love to see a Bill addressing minimum security requirements for consumer IoT devices, those devices are what fed the Mirai botnet…
You can read the full bill here.