On September 28, California’s SB 327 was signed by the governor, making it the first such law in the U.S. mandating internet of things (IoT) device manufacturing security provisions (a similar, though more extensive, federal bill known as the Internet of Things (IoT) Cybersecurity Improvement Act of 2017 still sits with the Committee on Homeland Security and Governmental Affairs, and I have not seen any recent activity on its development).
The new California law states that connected devices must be manufactured with “reasonable” security features. This means IoT device makers may need to start providing unique preprogrammed device passwords (instead of default passwords) or embedding functions that force users to authenticate before access is granted to the device for the first time.
Existing California law already compels businesses to implement and maintain reasonable cybersecurity procedures appropriate to the nature of the collected data, but the new legislation applies specifically to “things.” I’ve seen critics of the new law point out that the requirements are vague, neglect encryption and don’t address underlying bad practices that are fueling the problem.
But pretty much everyone agrees there is a problem.
Poorly secured IoT devices fueled the Mirai botnet used in the destructive Dyn cyberattack of 2016 and countless other cybersecurity nightmares. In just the past few weeks, it’s been reported that a new Hakai IoT botnet “is now growing into a looming and impending threat” that has even spawned “two different Hakai-based variants” of malware that are spreading online. And these bots are largely being powered by hijacked IoT devices.
Whether or not the California law, which goes into effect in 2020, will have any impact whatsoever in curbing the problem remains to be seen, but it signals that people outside the information-security sector are now also concerned about the security of “things” and the implications of living in our “smart” and connected world.
While botnets like Mirai are largely powered by expropriated consumer IoT devices and used for things like denial-of-service (DoS) cyberattacks, the motivations behind industrial internet of things (IIoT) cyberthreats may be much more threatening to a business’s bottom line. I see particular weaknesses in the IIoT-enabled manufacturing industry, for example, where Industry 4.0 has encouraged a massive integration of information technology systems, devices and cloud resources in the supply chain — and now both operational ability and intellectual property are at stake.
The recent 2018 Spotlight Report on Manufacturing from Vectra suggested that the manufacturing industry suffers an inordinate volume of malicious internal network activity, lateral movement and reconnaissance activity (although they are a cybersecurity firm); Deloitte also touched on these vulnerabilities in a recent article. This would indicate that attackers have already infiltrated these networks and are snooping for critical assets or attempting to destroy infrastructure. Attackers could easily gain entry to these networks through imprudent deployment of unsecured IIoT devices and weak (or nonexistent) internal network controls.
Laws that widely enforce better device security best practices may present one solution to this problem, but assistance might also come from more innovative quarters.
Blockchain technology, which works as a distributed database that cryptographically and immutably records every “block” of data moving through a system, may point to a more secure future for our connected devices. Blockchain is difficult to spoof. Its peer-to-peer, decentralized structure and reliance on consensus theoretically make it harder to hack. There is, by my observation, essentially no central control to break into or authenticator to fool.
For example, an attacker might digitally force entry into one poorly secured IIoT router at a company. But attempts to use that entry point to manipulate or interact with other nodes in the network could be thwarted in a blockchain model. In that case, the attacked router’s hashed record of activity would no longer match the others in the network and could not achieve consensus verification.
A lot of smaller-scale preliminary research — including one 2018 review (registration required) on IoT security issues and a 2017 case study (registration required) on blockchain security for smart homes — is underway, and consortiums have already been formed, attempting to apply blockchain security to IoT and IIoT networks. But no viable implementation has yet emerged. Tech leaders and innovators wishing to delve further into the milieu would do well to explore the Hyperledger or Ethereum communities to stay abreast of emerging capabilities and proofs-of-concept.
Blockchain is still a relatively young technology, and it currently faces limitations on scale and speed that are essential in modern IIoT deployments — but its model shows promise. I believe that whoever discovers the workarounds to those limitations stands to earn a fortune and the grateful thanks of a million IT managers.
And solutions that follow similar logic deserve our consideration. The idea of shifting away from traditional client-server paradigms to foil those who have become experts at subverting them may be the only choice for the future. In the meantime, I believe the best way to mitigate security issues is to actually practice network security (like the practices outlined by the U.S. Computer Emergency Readiness Program) — conduct regular audits, manage and monitor access, utilize layered defenses, and so on. Far too few of us actually do this, and attackers know it.
One thing is certain: The way we are doing “things” now is too risky. Regardless of what lawmakers do or do not do in regard to device security, the industrial internet of things has to step up to the threat.