In the absence of a federal law that mandates the security of any and all types of connected devices (other than those sold to government agencies), the state of California has enacted its own law that will ultimately have nationwide ramifications. California’s new Internet of Things (IoT) Security Law goes into effect on January 1, 2020. The legislation was signed into law in September of 2018.
This legislation recognizes that many types of connected devices used in business and industry are inherently insecure because they lack built-in security measures, and often there is no way to enhance the security of a device once it is deployed and a vulnerability is found.
The law is aimed at manufacturers of connected devices that sell their products in California. Of course, manufacturers aren’t going to make the distinction of a “California-bound” product versus one that is intended to be sold elsewhere – a distinction that could create tiers of how products are secured – so in effect, this state law will have practical application for the entire nation, and beyond.
The regulation stipulates that “connected device” means any device or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address. That’s a pretty broad definition, but necessarily so, since new types of “things” connect to the Internet every day. The law doesn’t explicitly list types of devices, but certainly the following items (and much more) qualify for inclusion in the security requirements:
· Office equipment such as copy machines, printers, fax machines and VoIP-enabled phones
· Retail and commercial devices such as point-of-sale terminals, handheld barcode scanners and warehouse inventory scanners
· Environmental devices such as smart thermometers, light bulbs, keycard readers for doors, surveillance cameras, and environmental control panels
· Household appliances such as refrigerators, home thermostats, security cameras, door locks and smart speakers
· Medical equipment such as MRI/CT/ultrasound scanners, implantable devices such as pacemakers and defibrillators, insulin pumps, physiological monitors, dosage calculation systems, and much more
· Personal devices such as fitness monitors, digital watches and headphones
· Connected vehicles
· A wide range of industrial sensors and equipment
Of all these types of devices, perhaps the most serious among them in terms of a need for tight security are those devices used in the medical field, as they literally can be the different between life and death. If a security camera or a point-of-sale device is compromised, it can result in a serious data breach. However, if an insulin pump is breached and the settings are changed, it can result in death for the patient.
What the law requires
The focus of this legislation is the security of connected devices—whatever they may be. The regulation states:
A manufacturer of a connected device shall equip the device with a reasonable security feature or features that are all of the following:
(1) Appropriate to the nature and function of the device.
(2) Appropriate to the information it may collect, contain, or transmit.
(3) Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.
The regulation also requires that, if a device has a password, the password must be unique and be able to be changed by the end user or administrator. Too many devices today come with a default password that cannot be changed or is never changed.
This law affects device manufacturers, including those that contract out the task of making a device. “Manufacturer” means the person who manufactures, or contracts with another person to manufacture on the person’s behalf, connected devices that are sold or offered for sale in California. For the purposes of this subdivision, a contract with another person to manufacture on the person’s behalf does not include a contract only to purchase a connected device, or only to purchase and brand a connected device. Just think of all the companies that design their products in one country, have them built in places like China, Taiwan or Vietnam, and then import them into the U.S. Even though the first company is not the physical assembler, it is still defined as the manufacturer for the purpose of this bill. And if the product is intended for sale in California, the requirements of the law apply.
Though the California law doesn’t explicitly state that devices should adhere to the concept of Zero Trust, all types of IoT devices can benefit from incorporating it. In networking, Zero Trust security means that no one is trusted by default from inside or outside the network, and verification is required from everyone trying to gain access to resources on the network. This added layer of security has been shown to prevent data breaches.
IoT devices need to adopt Runtime Zero Trust, which means that only trusted software behavior is allowed to occur on the device to ensure its security.
Manufacturers that haven’t been concerned with installing security measures in their products before might need guidance on where to start. This is where the CIS Critical Security Controls for Effective Cyber Defense will be useful. Based on the interpretation of this law, it seems that these controls would be the floor for reasonable cybersecurity protection. Not all of them are applicable to device security, of course, but many are. In particular, the following controls would apply to most types of connected devices:
· Conduct an inventory of authorized and unauthorized software running on the device
· Create and maintain a secure configuration for device hardware and software
· Conduct continuous vulnerability assessment of the device and provide for remediation if needed
· Provide the means for the user organization to update the device’s password
· Provide for controlled use of administrative privileges
· Provide defense against malware
· Protect data on the device
Given that the law goes into effect quite soon, manufacturers need a trusted partner to help them meet the new security requirements.
Cybeats works with a variety of manufacturers to embed security controls into their devices long before they are deployed in the field.
Cybeats protects network-enabled devices – especially those for the highly critical medical industry – throughout all phases of their lifecycle. Using secure micro-agent technology embedded in each device, Cybeats is able to:
· Secure new devices to ensure they are without vulnerabilities before being deployed
· Protect those devices from known and unknown threats using an advanced detection and response solution once they are deployed
· Improve the devices by orchestrating the distribution of updated firmware when needed
· Monitor the health of the devices in the field proactively providing alerts in regard to software failures such as memory leaks
· Analyze the cyber-kinetic metrics of the devices and respond to the physical world behavioral anomalies
Cybeats software is embedded into devices to provide continuous protection, allowing devices to instantly detect usage abnormalities as well as the most sophisticated threats; block them to prevent harm; and gather intelligence to help neutralize the threats and provide device health telemetry to the manufacturer. Once a manufacturer updates the firmware to eliminate vulnerabilities, Cybeats automatically distributes it to all devices in the field to make them “healthy” again while minimizing downtime.
This lifecycle protection allows device users to benefit from the value of connected devices and equipment without increasing their risk profile. Here’s how.
Cybeats uses a small footprint, low CPU-consumption μ-Agent inside an IoT device as a sentinel. The micro-agent is a self-contained, independent process and the manufacturer need not make any changes to incorporate it into the product. The μ-Agent can detect threats that are invisible to network-based protection – even the most advanced unknown threats – and remove them with surgical precision. Because the μ-Agent maintains a continuous presence on the device throughout its lifecycle, it enables a variety of capabilities that are critical for device security, including the following:
Cybeats is prepared to help device manufacturers painlessly meet security requirements mandated by the new California Internet of Things Security Law. Call us to learn more.