Its not really about the law so much as about money. If you don't meet the requirements then the Government, and subcontractors of the government, cannot do business with you. Good luck getting one of those 'loophole' exceptions. If you are serious about selling the to government then you'll get on board, be sure to charge accordingly.
Since 99.9% of IoS crap is direct-to-consumer sales, I'm not sure how effective any of this will really be. And then there's NIST's handling of this, which is typically "you must be FIPS 140 certified", which pretty much guarantees that only the usual government-gravy-train vendors can play because no-one else will sink several hundred thousand per product into getting a piece of paperwork to let them charge ludicrous prices to government agencies. I don't think this will end up as much more than feel-goo
Actually consumers are unaware of most of the IoT devices out there, which is why there are already 20 billion of them. They're things like sewer flow monitors, smart street lights, fish counters, game trail cameras, weather stations, soil moisture monitors, and John Deere tractors. Your Internet-connected refrigerator may be an IoT device, but so is traffic light on the corner, the drone that patrols the corn field looking for insect infestations, and the laser that zapped parasites on the farmed salmon
I would differentiate between SCADA and IoT. SCADA is generally built-like-a-brick-shithouse hardware with some embedded/RTOS like control software, may not have every security feature but generally had some thought put into it. IoS is an obsolete Linux kernel shovelled onto a Raspberry Pi with every port open, every service enabled, and controlled by a Python script hacked together at 4am by one of the devs that mostly works most of the time. Government/corporate use is SCADA, consumer use is IoS. So t
I just gave you a very abbreviated list of them. "sewer flow monitors, smart street lights, fish counters, game trail cameras, weather stations, soil moisture monitors... " Even if governments only used 0.1% of the IoT devices out there that's 20,000,000 of them, and actually they're the largest users after the big lump called "factory automation". There are so many of them already installed and so many of them about to be installed that the telecoms are implementing 5G to handle the flood of connection
Internet of Things
devices are devices that--
(A) have at least one transducer (sensor or
actuator) for interacting directly with the physical
world, have at least one network interface, and are not
conventional Information Technology devices, such as
smartphones and laptops, for which the identification
and implementation of cybersecurity features is already
well understood; and
(B) can function on their own and are not only able
to function when acting as a component of another
device, such as a processor.
And this is where it gets interesting, they've decreed, by executive fiat, that every deeply-embedded control system, most of which are physically incapable of doing a lot of what the rest of the act requires, now complies with it. The discussion on mailing lists around this has been mostly "how TF are they going to get this pig to fly?". Blanket waivers and exceptions, foot-dragging on rulemaking, and random hit-and-miss enforcement are the best guesses.
Yeah, the traffic counter they just bought can't do it, but the new ones they purchase next year will have to, and it's about bloody time. Where I work we have cameras installed that were installed over 15 years ago, their firmware has multiple **known** security holes that are unpatchable, fortunately they're on a restricted network (and scheduled for replacement in a couple of months) but if they were outside the firewall they'd almost certainly be part of one of the DDOS bot
Yeah, the traffic counter they just bought can't do it, but the new ones they purchase next year will have to, and it's about bloody time.
++
It's past time for everyone to stop accepting crap that can't be upgraded from vendors that will disappear (or pretend to have never heard of a product you bought from them) in 2-3 years. Amazon and Walmart won't enforce standards, but governments might and they buy enough stuff to move the needle, unlike a few cloud-skeptical nerds choosing not to buy Hue lights or whatever now.
The ones they get today CAN do it. The problem is with older stuff that's done maybe in the 90s with no built in security. Of course it depends upon manufacturer. Some new stuff will still have crappy security of course, like pre-shared keys or passwords, but hopefully most will be on the ball and actually hiring security experts and have security as a concern at all management levels. But if someone built a device in the last 10 years without worrying about security then that's a major failure. Having
It depends I think on how it's used. If it's a closed network you could argue that it's not IoT. But if it's on the internet, even if that just means a closed network using an IPSEC tunnel for remote access from a different closed network, then it's on the internet and probably can be called IoT. Leased lines are expensive and so many of these are being migrated to the internet, while being secured hopefully.
A depressingly large amount of scada firmware is written with the assumption that it will be connected to a secured private network and so anything on that network is trusted.
Then some clown connects it to the public net.
OTOH, consumer IOT firmware is designed to absolutely depend on the mothership so it can be obsoleted at will.
Thanks, that's probably the best definition. The informal one I use is IoS = cheap consumer crap that dies when whoever talked you into buying it shuts down their server, SCADA = industrial-grade gear designed to be as indestructible as possible and not dependent on some server in China, but not with security in mind. We've got SCADA gear running here that dates from the 1990s, has never gone down or crashed that I can remember, and is still actively supported by the vendor. Conversely, we have IoS stuff
Yes, security on consumer devices are crap, and likely to always remain so since security is an inconvience and inconvenience lowers sales. But in the commercial and industrial world, IoT devices are common and customers there are much more likely to demand security, especially when used for critical infrastructures. Chip makers are starting to get on the ball too, so instead of offering mediocre WiFi or bluetooth based stuff, they're now offering chips with secure key storage, elliptic curve support, abi
The cost of living is going up, and the chance of living is going down.
money (Score:3)
Its not really about the law so much as about money. If you don't meet the requirements then the Government, and subcontractors of the government, cannot do business with you. Good luck getting one of those 'loophole' exceptions. If you are serious about selling the to government then you'll get on board, be sure to charge accordingly.
Re: (Score:-1, Flamebait)
Re: (Score:1)
US gov has been hijacked by corrupt oligarchy
I see you've studied your history, back to the 1860's, at least.
Nothing's really changed since.. in case you were wondering.
update program should have at least 3 years free (Score:2)
update program should have at least 3 years free and not to get updates need to pay for an online plan.
Re: (Score:2)
Free updates? For a government contract?
More like 10 years milking for contracted maintenance.
Re: (Score:3)
Re: (Score:2)
Its for the Government itself, not you.
Re: (Score:3)
Actually consumers are unaware of most of the IoT devices out there, which is why there are already 20 billion of them. They're things like sewer flow monitors, smart street lights, fish counters, game trail cameras, weather stations, soil moisture monitors, and John Deere tractors. Your Internet-connected refrigerator may be an IoT device, but so is traffic light on the corner, the drone that patrols the corn field looking for insect infestations, and the laser that zapped parasites on the farmed salmon
Re: (Score:2)
Re: (Score:2)
I'm still trying to come up with IoT devices the government uses. Does the white house need some Hue bulbs?
Re: (Score:3)
I just gave you a very abbreviated list of them. "sewer flow monitors, smart street lights, fish counters, game trail cameras, weather stations, soil moisture monitors ... " Even if governments only used 0.1% of the IoT devices out there that's 20,000,000 of them, and actually they're the largest users after the big lump called "factory automation". There are so many of them already installed and so many of them about to be installed that the telecoms are implementing 5G to handle the flood of connection
Re: (Score:2)
Internet of Things devices are devices that--
(A) have at least one transducer (sensor or actuator) for interacting directly with the physical world, have at least one network interface, and are not conventional Information Technology devices, such as smartphones and laptops, for which the identification and implementation of cybersecurity features is already well understood; and
(B) can function on their own and are not only able to function when acting as a component of another device, such as a processor.
Re: (Score:2)
Re: (Score:2)
Physically incapable today .
Yeah, the traffic counter they just bought can't do it, but the new ones they purchase next year will have to, and it's about bloody time. Where I work we have cameras installed that were installed over 15 years ago, their firmware has multiple **known** security holes that are unpatchable, fortunately they're on a restricted network (and scheduled for replacement in a couple of months) but if they were outside the firewall they'd almost certainly be part of one of the DDOS bot
Re: (Score:2)
Yeah, the traffic counter they just bought can't do it, but the new ones they purchase next year will have to, and it's about bloody time.
++
It's past time for everyone to stop accepting crap that can't be upgraded from vendors that will disappear (or pretend to have never heard of a product you bought from them) in 2-3 years. Amazon and Walmart won't enforce standards, but governments might and they buy enough stuff to move the needle, unlike a few cloud-skeptical nerds choosing not to buy Hue lights or whatever now.
Re: (Score:2)
The ones they get today CAN do it. The problem is with older stuff that's done maybe in the 90s with no built in security. Of course it depends upon manufacturer. Some new stuff will still have crappy security of course, like pre-shared keys or passwords, but hopefully most will be on the ball and actually hiring security experts and have security as a concern at all management levels. But if someone built a device in the last 10 years without worrying about security then that's a major failure. Having
Re: (Score:2)
It depends I think on how it's used. If it's a closed network you could argue that it's not IoT. But if it's on the internet, even if that just means a closed network using an IPSEC tunnel for remote access from a different closed network, then it's on the internet and probably can be called IoT. Leased lines are expensive and so many of these are being migrated to the internet, while being secured hopefully.
Re: (Score:2)
A depressingly large amount of scada firmware is written with the assumption that it will be connected to a secured private network and so anything on that network is trusted.
Then some clown connects it to the public net.
OTOH, consumer IOT firmware is designed to absolutely depend on the mothership so it can be obsoleted at will.
Re: (Score:2)
Re: (Score:2)
Yes, security on consumer devices are crap, and likely to always remain so since security is an inconvience and inconvenience lowers sales. But in the commercial and industrial world, IoT devices are common and customers there are much more likely to demand security, especially when used for critical infrastructures. Chip makers are starting to get on the ball too, so instead of offering mediocre WiFi or bluetooth based stuff, they're now offering chips with secure key storage, elliptic curve support, abi