It’s tough to find universal agreement on any issue these days, but both houses of the United States Congress unanimously approved H.R.1668/S.734, the IoT Cybersecurity Improvement Act of 2020, before it was signed into law on December 4, 2020. The bill’s easy passage shows broad, bipartisan support for the development and implementation of Internet of Things (IoT) security standards for the federal government. From the House bill’s summary:
This bill requires the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) to take specified steps to increase cybersecurity for Internet of Things (IoT) devices. IoT is the extension of internet connectivity into physical devices and everyday objects.
Specifically, the bill requires NIST to develop and publish standards and guidelines for the federal government on the appropriate use and management by agencies of IoT devices owned or controlled by an agency and connected to information systems owned or controlled by an agency, including minimum information security requirements for managing cybersecurity risks associated with such devices.
Under the Iot Cybersecurity Improvement Act, NIST’s standards will be reviewed and revised every five years. The U.S. Office of Management and Budget (OMB) will “develop and oversee the implementation of policies, principles, standards, or guidelines as necessary to address security vulnerabilities of information systems.” Most importantly for IoT manufacturers, agencies are “prohibited from procuring, obtaining, or using an IoT device if the agency determines during a review of a contract that the use of such device prevents compliance with the standards and guidelines,” except “where necessary for national security, for research purposes, or where such device is secured using alternative effective methods.”
Although the law is targeted at regulating devices procured by the federal government, security advocates are hopeful that it will also lead to the establishment of IoT security standards and best practices for the private sector as well. In a blog post from the ioXT Alliance, an industry group promoting IoT security standards, CTO Brad Ree states that “While this is U.S. government specific, we’re confident that it will serve as the catalyst that prompts network operators, consumer ecosystems, and retailers to follow suit in device security certification moving forward.”
The new IoT Cybersecurity Improvement Act, along with other state laws and industry initiatives, is a response to the huge attack surface currently offered by literally billions of internet-connected devices ranging from heart monitors to SUVs. When we think about abuse of insecure “smart” devices, high-profile stories about compromised security cameras or smart locks may bring the risks of invasion of privacy and property crime to mind first. However, huge botnets capable of things like massive denial-of-service attacks are also a real and present danger. Security researcher Elie Bursztein describes the 2016 Mirai botnet:
At its peak in September 2016, Mirai temporarily crippled several high-profile services such as OVH, Dyn, and Krebs on Security via massive distributed Denial of service attacks (DDoS). OVH reported that these attacks exceeded 1Tbps—the largest on public record.
What’s remarkable about these record-breaking attacks is they were carried out via small, innocuous Internet-of-Things (IoT) devices like home routers, air-quality monitors, and personal surveillance cameras. At its peak, Mirai enslaved over 600,000 vulnerable IoT devices, according to our measurements.
To compromise devices, the initial version of MIRAI relied exclusively on a fixed set of 64 well-known default login/password combinations commonly used by IoT devices. While this attack was very low tech, it proved extremely effective and led to the compromise of over 600,000 devices.
Imagine millions of such devices shipping with easily-guessed default credentials that are often never changed by users and administrators. You can easily see the potential for success of such a “low-tech” brute force approach, and that’s one reason why the federal government has taken such an interest in lax IoT security. (Interestingly—and presumably to avoid attracting attention—the Mirai bots were coded to avoid US Department of Defense and Postal Service and Internet Assigned Numbers Authority (IANA) IP addresses when scanning.)
Of course, not shipping internet-connected devices with
password as administrative credentials would be a great start. And, as we’ll see below, authentication with client certificates is a secure alternative to passwords. Read on to discover this and other ways that SSL.com can help IoT manufacturers improve device security and stay in compliance with governnment and industry standards.
How SSL.com Can Help
The unanimous passage of the Internet of Things Cybersecurity Act of 2020—plus the expectation that industry will follow suit—indicates that the path forward for IoT manufacturers will include compliance with stricter security standards and regulations. Digital certificates and hosted PKI from SSL.com are a great way for manufactuers to secure IoT devices. Digital certificates and public key infrastructure (PKI) are among the cornerstones of modern internet and IoT security, and will only become more essential as new standards are drafted under the law.
Digital certificates are special files that bind cryptographic key pairs to the entities such as websites, individuals, organizations, and devices. Certificate authorities (CAs) like SSL.com validate these identities before issuing certificates. The most widely known use of digital certificates is in the SSL/TLS and HTTPS protocols that are used to secure websites, but there are many other use cases, including code signing and document signing. Digital certificates provide:
- Authentication, by serving as a cryptographically verifiable credential to validate the identity of the entity that it is issued to.
- Encryption, for secure communication over insecure networks such as the Internet.
Integrity of documents signed with the certificate so that they cannot be altered by a third party in transit.
In terms of IoT security, this means that:
- Each device can be provided a unique identity and client certificate during manufacture, allowing it to use mutual TLS to securely authenticate with company servers.
- Communication between a user’s computer and a device, or between a device and a company’s servers, is encrypted, and the integrity of these communications is ensured.
- Client certificates installed on personal computers or mobile devices can also be used as an authentication factor when logging into a device in addition to (or instead of) usernames and passwords.
- Devices can be configured to trust only software updates signed with code signing certificates identifying the publisher.
And, because digital certificates and PKI are established security standards, standard industry protocols like ACME, SCEP, and EST can be used for device certificate enrollment and management.
The technology and procedures maintained by a CA for binding identities to cryptographic keys and issuing digital certificates is known as Public Key Infrastructure (or PKI). Any organization can operate its own PKI and CA for internal trust, but only publicly trusted CAs, like SSL.com, can provide certificates that are automatically trusted by all current browsers and operating systems.
To maintain this universal level of trust, SSL.com works continually to remain in compliance with industry standards and government regulations worldwide. Our processes and facilities are subject to rigorous yearly WebTrust audits that are required to keep our certificates universally trusted. These industry audits also ensure that we remain in compliance with the national PKI standards and guidelines of governments worldwide. We are committed to maintain compliance with any new PKI standards and regulations going forward—as a commercial, publicly trusted CA our very business depends on it.
IoT manufacturers can take advantage of SSL.com’s infrastructure and expertise through hosted enterprise PKI, providing access to publicly trusted certificates and eliminating the need to invest in additional equipment and expert staff. Certificate issuance and lifecycle management can be done via standard protocols like ACME, SCEP, and EST, or SSL.com’s RESTful SWS API. Privately trusted PKI is also available from SSL.com, and may be preferable for some applications. Please read Private vs Public PKI: Building an Effective Plan for much more information on this subject.
By partnering with SSL.com for IoT PKI with either private or public trust, you can be assured that the systems and process you put in place for issuing and maintining certificates on your devices will remain in compliance with regulations issued by NIST under the IoT Cybersecurity Improvement Act.
Want to learn more about how SSL.com can help IoT manufacturers? Check out these SSL.com resources for much more information, or submit the form below to reach a member of SSL.com’s enterprise sales team:
- Internet of Things (IoT) Solutions
- Securing the Internet of Things (IoT) with SSL/TLS
- SSL/TLS Automation for the IoT with ACME
- SSL/TLS Automation for the Internet of Things (IoT)
- Authenticating Users and IoT Devices with Mutual TLS