The IoT Cybersecurity Improvement Act and what it means for you
The “Internet of Things” (IoT) is a term that has been used almost as frequently as the term “cyber.” IoT has now made it to the U.S. Congress, which recently approved the IoT Cybersecurity Improvement Act. This is even more relevant in our current COVID environment, with more people working remotely than ever before.
The Act charges the National Institute of Standards and Technology (NIST) to issue guidelines to manufacturers regarding the standards needed for IoT devices. This includes standards for the development, patching, and configuration of IoT devices. Additionally, the Act also requires government entities to only purchase IoT devices that meet the above NIST standards.
How does it impact you as a manufacturing company?
If you are a manufacturer, the guidelines generally suggest capabilities that you will have to meet to improve the security of the IoT devices. The NIST recently published the NISTIR 8259, which established activities to help manufacturers consider their customer’s cybersecurity needs, and 8259A to help establish core baseline capabilities for devices.
There are six activities referenced in 8259 - four pre-market and two post-market:
1) Identify expected customers and users, and define expected use cases
2) Research customer cybersecurity needs and goals
3) Determine how to address customer needs and goals
4) Plan for adequate support of customer needs and goals
5) Define approaches for communicating with customers
6) Decide what to communicate to customers and how to communicate it
There are six core capabilities set out in 8592A:
1) Device Identification (the device has a unique identifier)
2) Device Configuration (software can be changed)
3) Data Protection (device can protect against unauthorized access)
4) Logical Access to Interfaces (access is restricted)
5) Software Update (software can updated by authorized entities)
6) Cybersecurity State Awareness (device can report on its state)
If you’re not a manufacturer...
If you're not a manufacturer but a company that relies upon IoT devices, the Act will not impact you for a while.
In the meantime, we recommend the following with regards to any IoT you own:
Don’t expose devices to the internet when they don't need to be connected (i.e. overnight, when not in use, etc.)
Enable MFA on any device which supports it
Change your default wifi passwords to difficult to guess
Create a guest network on your wifi to connect IoT devices to
Always keep the device up to date with the latest updates
Coalition’s policy covers IoT devices
Although following the above recommendations will certainly help limit your exposure to a cyber incident, they can still happen, and that is where having the right cyber insurance policy is important. Unlike others in the industry, Coalition’s policy covers IoT devices. This means if there is an incident (e.g. ransomware) that originates from one of these devices, our policy will likely cover it and cover you. Don’t forget, if you are a policyholder, you can always speak with our security team to get specific recommendations for all of your devices.