Close X
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Request a Demo

ADDING SECURITY BY DESIGN TO YOUR IOT DEVICE

IoT Device Manufacturers Need to Heed California’s new Internet of Things Security Law

December 13, 2019

In the absence of a federal law that mandates the security of any and all types of connected devices (other than those sold to government agencies), the state of California has enacted its own law that will ultimately have nationwide ramifications. California’s new Internet of Things (IoT) Security Law goes into effect on January 1, 2020. The legislation was signed into law in September of 2018.

This legislation recognizes that many types of connected devices used in business and industry are inherently insecure because they lack built-in security measures, and often there is no way to enhance the security of a device once it is deployed and a vulnerability is found.

The law is aimed at manufacturers of connected devices that sell their products in California. Of course, manufacturers aren’t going to make the distinction of a “California-bound” product versus one that is intended to be sold elsewhere – a distinction that could create tiers of how products are secured – so in effect, this state law will have practical application for the entire nation, and beyond.

What is a “connected device”?

The regulation stipulates that “connected device” means any device or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address. That’s a pretty broad definition, but necessarily so, since new types of “things” connect to the Internet every day. The law doesn’t explicitly list types of devices, but certainly the following items (and much more) qualify for inclusion in the security requirements:

·       Office equipment such as copy machines, printers, fax machines and VoIP-enabled phones

·       Retail and commercial devices such as point-of-sale terminals, handheld barcode scanners and warehouse inventory scanners

·       Environmental devices such as smart thermometers, light bulbs, keycard readers for doors, surveillance cameras, and environmental control panels

·       Household appliances such as refrigerators, home thermostats, security cameras, door locks and smart speakers

·       Medical equipment such as MRI/CT/ultrasound scanners, implantable devices such as pacemakers and defibrillators, insulin pumps, physiological monitors, dosage calculation systems, and much more

·       Personal devices such as fitness monitors, digital watches and headphones

·       Connected vehicles

·       A wide range of industrial sensors and equipment

Of all these types of devices, perhaps the most serious among them in terms of a need for tight security are those devices used in the medical field, as they literally can be the different between life and death. If a security camera or a point-of-sale device is compromised, it can result in a serious data breach. However, if an insulin pump is breached and the settings are changed, it can result in death for the patient.  

What the law requires

The focus of this legislation is the security of connected devices—whatever they may be. The regulation states:

A manufacturer of a connected device shall equip the device with a reasonable security feature or features that are all of the following:

(1) Appropriate to the nature and function of the device.

(2) Appropriate to the information it may collect, contain, or transmit.

(3) Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.

The regulation also requires that, if a device has a password, the password must be unique and be able to be changed by the end user or administrator. Too many devices today come with a default password that cannot be changed or is never changed.

Who must comply?

This law affects device manufacturers, including those that contract out the task of making a device. “Manufacturer” means the person who manufactures, or contracts with another person to manufacture on the person’s behalf, connected devices that are sold or offered for sale in California. For the purposes of this subdivision, a contract with another person to manufacture on the person’s behalf does not include a contract only to purchase a connected device, or only to purchase and brand a connected device. Just think of all the companies that design their products in one country, have them built in places like China, Taiwan or Vietnam, and then import them into the U.S. Even though the first company is not the physical assembler, it is still defined as the manufacturer for the purpose of this bill. And if the product is intended for sale in California, the requirements of the law apply.

The concept of Zero Trust

Though the California law doesn’t explicitly state that devices should adhere to the concept of Zero Trust, all types of IoT devices can benefit from incorporating it. In networking, Zero Trust security means that no one is trusted by default from inside or outside the network, and verification is required from everyone trying to gain access to resources on the network. This added layer of security has been shown to prevent data breaches.

IoT devices need to adopt Runtime Zero Trust, which means that only trusted software behavior is allowed to occur on the device to ensure its security.

Where to start for compliance?

Manufacturers that haven’t been concerned with installing security measures in their products before might need guidance on where to start. This is where the CIS Critical Security Controls for Effective Cyber Defense will be useful. Based on the interpretation of this law, it seems that these controls would be the floor for reasonable cybersecurity protection. Not all of them are applicable to device security, of course, but many are. In particular, the following controls would apply to most types of connected devices:

·       Conduct an inventory of authorized and unauthorized software running on the device

·       Create and maintain a secure configuration for device hardware and software

·       Conduct continuous vulnerability assessment of the device and provide for remediation if needed

·       Provide the means for the user organization to update the device’s password

·       Provide for controlled use of administrative privileges

·       Provide defense against malware

·       Protect data on the device

Given that the law goes into effect quite soon, manufacturers need a trusted partner to help them meet the new security requirements.

How Cybeats natively protects connected devices

Cybeats works with a variety of manufacturers to embed security controls into their devices long before they are deployed in the field.

Cybeats protects network-enabled devices – especially those for the highly critical medical industry – throughout all phases of their lifecycle. Using secure micro-agent technology embedded in each device, Cybeats is able to:

·       Secure new devices to ensure they are without vulnerabilities before being deployed

·       Protect those devices from known and unknown threats using an advanced detection and response solution once they are deployed

·       Improve the devices by orchestrating the distribution of updated firmware when needed

·       Monitor the health of the devices in the field proactively providing alerts in regard to software failures such as memory leaks

·       Analyze the cyber-kinetic metrics of the devices and respond to the physical world behavioral anomalies

Cybeats software is embedded into devices to provide continuous protection, allowing devices to instantly detect usage abnormalities as well as the most sophisticated threats; block them to prevent harm; and gather intelligence to help neutralize the threats and provide device health telemetry to the manufacturer. Once a manufacturer updates the firmware to eliminate vulnerabilities, Cybeats automatically distributes it to all devices in the field to make them “healthy” again while minimizing downtime.

This lifecycle protection allows device users to benefit from the value of connected devices and equipment without increasing their risk profile. Here’s how.

Cybeats uses a small footprint, low CPU-consumption μ-Agent inside an IoT device as a sentinel. The micro-agent is a self-contained, independent process and the manufacturer need not make any changes to incorporate it into the product. The μ-Agent can detect threats that are invisible to network-based protection – even the most advanced unknown threats – and remove them with surgical precision. Because the μ-Agent maintains a continuous presence on the device throughout its lifecycle, it enables a variety of capabilities that are critical for device security, including the following:

Directive Cybeats' Capability

Conduct an inventory of authorized and unauthorized software running on the device aka Software Bill of Material (SBOM)

Cybeats work with device manufacturers to create a clean profile of the authorized software permitted to run on the device. From that point on, Cybeats checks for possible software supply attack vectors and indicates to the device makers if such exists. The analysis is runtime and reduces the level of the false positives comparing to passive approaches of scanning the images or code.

Create and maintain a secure configuration for device hardware and software

Before a device is shipped to customers, Cybeats scans the device for vulnerabilities. Once the configuration of a device is "locked down," Cybeats doesn't permit any configuration changes that don't come directly from the manufacturer, such as in the case of a firmware update.

Conduct continuous vulnerability assessment of the device and provide for remediation if needed

Because most vulnerabilities in IoT devices come from third-party software dependencies, Cybeats continuously monitors for new vulnerabilities and can alert both the device manufacturer as well as users who have already deployed the device. Cybeats can detect and block unauthorized activities on a device based on a profile of what a healthy device is allowed to do, effectively establishing Runtime Zero Trust.

Provide for controlled use of administrative privileges

Cybeats audits the users, groups, their permissions and configurations and alerts about weak passwords, backdoor users or misconfigurations.

Provide defense against malware

Rather than depending on databases of known threats and vulnerabilities to protect IoT devices, Cybeats automatically builds and maintains dynamic models of healthy device behaviors. This allows for any unusual behavior to be detected, making it ideal for identifying new and unknown threats. In addition, Cybeats automatically learns which IPs and ports an IoT device normally communicates with. Any exceptions to normal device behavior or traffic are flagged, alerts are generated, and all pertinent details are recorded.

Protect data on the device

Cybeats continuously looks after encrypted data connections and protects in real time against man in the middle attacks.

Cybeats is prepared to help device manufacturers painlessly meet security requirements mandated by the new California Internet of Things Security Law. Call us to learn more.