Current and Upcoming Industry and Government Regulations that Apply to Critical Infrastructure and the Internet of Things
The global community of IoT manufacturers and commercial customers has had several serious wake-up calls pertaining to system security and cyberattacks. The first significant IoT cyberattack was against a Iranian nuclear facility in which malware was used to disrupt and impair the centrifuges in the plant, causing physical damage that shut the plant down.
Another big wakeup call was the cyberattack on Dyn’s managed DNS service. Hundreds of thousands of IoT devices were overtaken and forced to send overwhelming amounts of traffic to Dyn’s servers, causing them to overload and crash. Subsequently, dozens of major Internet platforms and services became unavailable to large swathes of users in Europe and North America.
Then in August 2017, a petrochemical company with a plant in Saudi Arabia was hit by a cyberattack that was meant to sabotage the firm’s operations and trigger an explosion. Malware had targeted the industrial systems’ safety controllers. It was only a bug in the malware code that prevented the actual explosion, but experts believe the people or nation-state behind this attack have corrected their error and will soon try again.
The commonality among these cyberattacks is the compromise of industrial or non-business systems that control devices such as the centrifuges, safety controllers, residential routers, surveillance systems and the like that are collectively known as the Internet of Things.
These and other nefarious IoT attacks have caught the attention of government legislators and regulatory bodies around the world. They have concluded that something needs to be done – soon – to force (or at least encourage) product developers and manufacturers to include full lifecycle security mechanisms in their products that are intended for critical infrastructure, industrial systems, medical systems, and the like. Thus, there are several regulatory initiatives underway that will impact IoT security, including the following:
In May 2017, President Trump signed Executive Order 13800 which tasked the Secretary of Commerce and the Secretary of Homeland Security to identify and promote action by stakeholders to improve the resilience of the internet and communications ecosystem and to encourage collaboration with the goal of dramatically reducing threats perpetrated by automated and distributed attacks, such as through botnets.
The result is a report due to be delivered to the president in May 2018 on how the federal government can mitigate vulnerabilities and minimize risk. This report will have a bearing on security requirements for the products and services the U.S. government buys for its agencies. Such requirements are often adopted by non-governmental public and private organizations as well.
The current draft report stresses the importance of reducing vulnerabilities in software and IoT devices, and recommends implementation of three basic strategies:
- Stopping vulnerabilities before they occur, including improved methods for specifying and building software;
- Finding and mitigating vulnerabilities, including through better testing techniques and more efficient use of multiple testing methods; and
- Reducing the impact of vulnerabilities by building architectures that are more resilient, so that vulnerabilities cannot be meaningfully exploited.
It’s gratifying to note that the recommended strategies align with the SECURE->PROTECT->FIX framework advocated by Cybeats. This lets us know we are on the right course to help our partners and customers comply with the eventual regulatory requirements, and to mitigate the risks of APT (advanced persistent attacks) and ADA (automated distributed attacks) that leverage IoT devices.
In addition, the National Institute of Standards and Technology (NIST), which is part of the U.S. Department of Commerce, has been working with the Interagency International Cybersecurity Standardization Working Group (IICS WG). They jointly developed the Interagency Report on Status of International Cybersecurity Standardization for the Internet of Things (IoT). The purpose of the report is to inform and enable policymakers, managers and standards participants as they seek timely development of and use of such standards in IoT components, systems and services.
Further, regulations like the North American Electric Reliability Corporation’s (NERC) Critical Infrastructure Protection (CIP) standards ensure businesses operating in the power industry follow certain guidelines with regard to cybersecurity in order to keep the service they provide reliable. This includes guidelines pertaining to IoT devices in critical infrastructure facilities.
Regulations like the Health Insurance Portability and Accountability Act (HIPAA) and Payment Card Industry – Data Security Standards (PCI-DSS) are designed to secure data in the healthcare and payments arenas, respectively. While these regulations don’t specifically address security for IoT devices, they would certainly need to be secured to prevent the theft, loss or corruption of sensitive data that is collected or processed by various devices. For example, certain medical devices capture patient-specific information such as blood pressure, heart rate, oxygen intake, and so on. Because this data is associated with a particular person who can be identified, it is regulated under the HIPAA guidelines.
Amid rising concerns about the security of IoT devices, in March of 2018 the British government announced its intent to make manufacturers of IoT devices responsible for the security of their products, while also proposing new rules to ensure that buyers are aware of security features in such devices at the time of purchase. The initiative is called Secure by Design and is documented in the Secure by Design: Improving the cyber security of consumer Internet of Things Report.
The initiative primarily focuses on consumer-oriented IoT products, and not those used in industrial, critical infrastructure and commercial situations. What’s more, the Secure by Design program provides guidelines rather than mandated requirements, leading some critics to complain that some manufacturers will simply ignore the guidelines.
The EU General Data Protection Regulation (GDPR) has some impact on IoT security, although the regulation is, ostensibly, about data privacy. The fact is, personal data must be secured in order to keep it private, and quite often data flows through IoT devices that collect and process personal data and transfer it to backend systems.
For example, retail stores may use sensors that interact with a customer’s Bluetooth-enabled cell phone to know when that customer has entered the store and to deliver customized offers or coupons. In this case, the customer has been uniquely identified, which places his data under the purview of GDPR. If the store sensors are not secure, a hacker could use it as an entry to the backend where the data is stored.
When companies must be GDPR-compliant – and the penalties for non-compliance can be very stiff – they will put their systems under intense scrutiny from a cybersecurity perspective. No CISO would knowingly bring unsecure devices or systems into their environment. Therefore, vendors and integrators will be under a greater burden of proof for security assurance throughout the lifecycle of the devices and systems.
Asia Pacific (APAC)
Regulation is developing across the region, although it is not uniform. Regulatory approaches to cyber risk in APAC are varied and localized, with no significant steps taken yet toward harmonized standards across the region. The economies with higher levels of cyber exposure and capacity address the issue more seriously.
There is certainly a need for strong IoT security in this region. IDC projects that there will be 8.6 billion connected devices throughout Asia Pacific (excluding Japan) by 2020. One out of every five connected devices will be in China. However, South Korea, Australia, New Zealand, Singapore and Taiwan are the leading countries for IoT penetration per capita.
The Korea Internet & Security Agency (KISA) operates an Information Security Management System Certification Program (K-ISMS) to increase the level of information security level of organizations in the country and decrease the possibility of threats and damage in the Internet system. K-ISMS was introduced in 2002 to meet local legal requirements for the information and communications technology (ICT) environment in Korea based on Article 47 (ISMS certification) in Act on Promotion of Information Communications Network Utilization and Information Protection. K-ISMS serves as a standard for evaluating whether enterprises and organizations operate and manage their information security management systems consistently and securely such that they thoroughly protect their information assets.
IoT vendors will want to attain certification under this program to ensure the up-take of their products into industrial, critical infrastructure, healthcare and commercial environments.
The federal government has asked industry leaders to develop a mandatory cyber security rating system for consumer-oriented IoT products. The ratings system is expected to be similar to the Energy Star ratings on electrical appliances. Experts doubt that such a system would be beneficial without independent certification and testing, as well as continuous updates to products. This ratings system is still in discussion and no legislation is actually underway.
In a separate effort, the IoT Alliance Australia (IOTAA) has developed a strategic plan to strengthen IoT security in Australia. Among the priorities of the plan: “Develop and promote IoT supply-side security awareness and education programs. Many IoT developers/manufacturers/suppliers are not aware of basic IoT/network security risks and requirements to integrate security in their design, development, manufacturing and supply chain processes. IoTAA will take the lead in Australia setting a global good practice program in this area.”
UL 2900 Series of Cybersecurity Standards
UL is a global company that helps other organizations demonstrate safety, confirm compliance, enhance sustainability, manage transparency, deliver quality and performance, strengthen security, protect brand reputation, build workplace excellence, and advance societal wellbeing.
UL recently issued a voluntary set of standards pertaining to cybersecurity in products connecting to networks. The outlines of the UL 2900 series form a baseline set of technical requirements to measure, and then elevate, the security posture of products and systems, and by design the requirements will evolve to incorporate additional technical criteria as the security needs in the marketplace mature. The requirements are available to UL’s certification customers via the Standards Certification Customer Library (SCCL) and can be purchased by visiting UL’s Standards Catalog or the UL Standards Sales Site.
Furthermore, the UL Cybersecurity Assurance Program helps companies meet regulations and mitigate safety and performance risks inherent in technologies comprising the Internet of Things. Using the UL 2900 series of cybersecurity standards, the company offers testable cybersecurity criteria for network-connected products and systems to assess software vulnerabilities and weaknesses, minimize exploitation, address unknown malware, review security controls and increase security awareness.
Whether it is through government guidelines and regulations; via global standards bodies such as ODVA, OPC and ISA; or through industry groups such as the Internet Engineering Task Force (IETF), the Industrial Internet Consortium (IIC) security working group, or IEEE, the world does need security standards and best practices pertaining to devices and systems on the Internet of Things. This will help companies mitigate risks when developing and deploying their IoT solutions.