Its not really about the law so much as about money. If you don't meet the requirements then the Government, and subcontractors of the government, cannot do business with you. Good luck getting one of those 'loophole' exceptions. If you are serious about selling the to government then you'll get on board, be sure to charge accordingly.
Since 99.9% of IoS crap is direct-to-consumer sales, I'm not sure how effective any of this will really be. And then there's NIST's handling of this, which is typically "you must be FIPS 140 certified", which pretty much guarantees that only the usual government-gravy-train vendors can play because no-one else will sink several hundred thousand per product into getting a piece of paperwork to let them charge ludicrous prices to government agencies. I don't think this will end up as much more than feel-goo
Actually consumers are unaware of most of the IoT devices out there, which is why there are already 20 billion of them. They're things like sewer flow monitors, smart street lights, fish counters, game trail cameras, weather stations, soil moisture monitors, and John Deere tractors. Your Internet-connected refrigerator may be an IoT device, but so is traffic light on the corner, the drone that patrols the corn field looking for insect infestations, and the laser that zapped parasites on the farmed salmon
I would differentiate between SCADA and IoT. SCADA is generally built-like-a-brick-shithouse hardware with some embedded/RTOS like control software, may not have every security feature but generally had some thought put into it. IoS is an obsolete Linux kernel shovelled onto a Raspberry Pi with every port open, every service enabled, and controlled by a Python script hacked together at 4am by one of the devs that mostly works most of the time. Government/corporate use is SCADA, consumer use is IoS. So t
Internet of Things
devices are devices that--
(A) have at least one transducer (sensor or
actuator) for interacting directly with the physical
world, have at least one network interface, and are not
conventional Information Technology devices, such as
smartphones and laptops, for which the identification
and implementation of cybersecurity features is already
well understood; and
(B) can function on their own and are not only able
to function when acting as a component of another
device, such as a processor.
And this is where it gets interesting, they've decreed, by executive fiat, that every deeply-embedded control system, most of which are physically incapable of doing a lot of what the rest of the act requires, now complies with it. The discussion on mailing lists around this has been mostly "how TF are they going to get this pig to fly?". Blanket waivers and exceptions, foot-dragging on rulemaking, and random hit-and-miss enforcement are the best guesses.
Yeah, the traffic counter they just bought can't do it, but the new ones they purchase next year will have to, and it's about bloody time. Where I work we have cameras installed that were installed over 15 years ago, their firmware has multiple **known** security holes that are unpatchable, fortunately they're on a restricted network (and scheduled for replacement in a couple of months) but if they were outside the firewall they'd almost certainly be part of one of the DDOS bot
The ones they get today CAN do it. The problem is with older stuff that's done maybe in the 90s with no built in security. Of course it depends upon manufacturer. Some new stuff will still have crappy security of course, like pre-shared keys or passwords, but hopefully most will be on the ball and actually hiring security experts and have security as a concern at all management levels. But if someone built a device in the last 10 years without worrying about security then that's a major failure. Having high grade security is a major selling point in my experience as the customers are looking for it.
money (Score:3)
Its not really about the law so much as about money. If you don't meet the requirements then the Government, and subcontractors of the government, cannot do business with you. Good luck getting one of those 'loophole' exceptions. If you are serious about selling the to government then you'll get on board, be sure to charge accordingly.
Re: (Score:3)
Re: (Score:3)
Actually consumers are unaware of most of the IoT devices out there, which is why there are already 20 billion of them. They're things like sewer flow monitors, smart street lights, fish counters, game trail cameras, weather stations, soil moisture monitors, and John Deere tractors. Your Internet-connected refrigerator may be an IoT device, but so is traffic light on the corner, the drone that patrols the corn field looking for insect infestations, and the laser that zapped parasites on the farmed salmon
Re: (Score:2)
Re: (Score:2)
Internet of Things devices are devices that--
(A) have at least one transducer (sensor or actuator) for interacting directly with the physical world, have at least one network interface, and are not conventional Information Technology devices, such as smartphones and laptops, for which the identification and implementation of cybersecurity features is already well understood; and
(B) can function on their own and are not only able to function when acting as a component of another device, such as a processor.
Re: (Score:2)
Re: (Score:2)
Physically incapable today .
Yeah, the traffic counter they just bought can't do it, but the new ones they purchase next year will have to, and it's about bloody time. Where I work we have cameras installed that were installed over 15 years ago, their firmware has multiple **known** security holes that are unpatchable, fortunately they're on a restricted network (and scheduled for replacement in a couple of months) but if they were outside the firewall they'd almost certainly be part of one of the DDOS bot
Re:money (Score:2)
The ones they get today CAN do it. The problem is with older stuff that's done maybe in the 90s with no built in security. Of course it depends upon manufacturer. Some new stuff will still have crappy security of course, like pre-shared keys or passwords, but hopefully most will be on the ball and actually hiring security experts and have security as a concern at all management levels. But if someone built a device in the last 10 years without worrying about security then that's a major failure. Having high grade security is a major selling point in my experience as the customers are looking for it.