Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security Government

The US Government Finally Gets Serious About IoT Security (ieee.org) 66

An anonymous reader quotes a report from IEEE Spectrum, written by Stacey Higginbotham: The IoT Cybersecurity Improvement Act of 2020 has given the nation an excellent framework that will influence IoT security across the world. So, what's to like about the law? Two things, as it turns out. First, the law isn't focused on securing individual devices by dictating password requirements or encryption standards, both of which will need to evolve. Instead, it relies on the National Institute of Standards and Technology (NIST) to set many of the requirements that government agencies have to follow when purchasing connected devices. These policies see overall security as the sum of several parts, requiring specific prescriptions for device, cloud, and communication security.

NIST's initial rules include today's best practices, such as having an over-the-air device update program, unique IDs for each device so it can be identified on a network, and a way for authorized users to change features related to access and security. The recommendations also include logging the actions taken by an IoT device or its related app, and clearly communicating the specifics of a device's security to the user. The other reason to like the law is that it remains adaptive and flexible by requiring NIST to assess the best practices for cybersecurity for connected devices every five years. Hacks, by their nature, are also adaptive and flexible, and so preventing them needs equally adaptable legislation. That means buying IoT devices that can receive over-the-air software updates, for example, to patch up any newly discovered exploits.
"Unfortunately, the law isn't airtight," writes Higginbotham. She worries that the waiver process for devices needed for national security or research could be abused. There's also a loophole that exempts devices that are secured using "alternative and effective methods." The law doesn't clarify what agency evaluates the efficacy of these alternative methods or how that evaluation is made.
This discussion has been archived. No new comments can be posted.

The US Government Finally Gets Serious About IoT Security

Comments Filter:
  • by awwshit ( 6214476 ) on Thursday March 18, 2021 @10:33PM (#61174638)

    Its not really about the law so much as about money. If you don't meet the requirements then the Government, and subcontractors of the government, cannot do business with you. Good luck getting one of those 'loophole' exceptions. If you are serious about selling the to government then you'll get on board, be sure to charge accordingly.

    • update program should have at least 3 years free and not to get updates need to pay for an online plan.

      • by stikves ( 127823 )

        Free updates? For a government contract?

        More like 10 years milking for contracted maintenance.

    • Since 99.9% of IoS crap is direct-to-consumer sales, I'm not sure how effective any of this will really be. And then there's NIST's handling of this, which is typically "you must be FIPS 140 certified", which pretty much guarantees that only the usual government-gravy-train vendors can play because no-one else will sink several hundred thousand per product into getting a piece of paperwork to let them charge ludicrous prices to government agencies. I don't think this will end up as much more than feel-goo
      • Its for the Government itself, not you.

      • by cusco ( 717999 )

        Actually consumers are unaware of most of the IoT devices out there, which is why there are already 20 billion of them. They're things like sewer flow monitors, smart street lights, fish counters, game trail cameras, weather stations, soil moisture monitors, and John Deere tractors. Your Internet-connected refrigerator may be an IoT device, but so is traffic light on the corner, the drone that patrols the corn field looking for insect infestations, and the laser that zapped parasites on the farmed salmon

        • I would differentiate between SCADA and IoT. SCADA is generally built-like-a-brick-shithouse hardware with some embedded/RTOS like control software, may not have every security feature but generally had some thought put into it. IoS is an obsolete Linux kernel shovelled onto a Raspberry Pi with every port open, every service enabled, and controlled by a Python script hacked together at 4am by one of the devs that mostly works most of the time. Government/corporate use is SCADA, consumer use is IoS. So t
          • I'm still trying to come up with IoT devices the government uses. Does the white house need some Hue bulbs?

            • by cusco ( 717999 )

              I just gave you a very abbreviated list of them. "sewer flow monitors, smart street lights, fish counters, game trail cameras, weather stations, soil moisture monitors ... " Even if governments only used 0.1% of the IoT devices out there that's 20,000,000 of them, and actually they're the largest users after the big lump called "factory automation". There are so many of them already installed and so many of them about to be installed that the telecoms are implementing 5G to handle the flood of connection

          • You may, but the bill makes no distinction:

            Internet of Things devices are devices that--
            (A) have at least one transducer (sensor or actuator) for interacting directly with the physical world, have at least one network interface, and are not conventional Information Technology devices, such as smartphones and laptops, for which the identification and implementation of cybersecurity features is already well understood; and
            (B) can function on their own and are not only able to function when acting as a component of another device, such as a processor.

            • And this is where it gets interesting, they've decreed, by executive fiat, that every deeply-embedded control system, most of which are physically incapable of doing a lot of what the rest of the act requires, now complies with it. The discussion on mailing lists around this has been mostly "how TF are they going to get this pig to fly?". Blanket waivers and exceptions, foot-dragging on rulemaking, and random hit-and-miss enforcement are the best guesses.
              • by cusco ( 717999 )

                Physically incapable today .

                Yeah, the traffic counter they just bought can't do it, but the new ones they purchase next year will have to, and it's about bloody time. Where I work we have cameras installed that were installed over 15 years ago, their firmware has multiple **known** security holes that are unpatchable, fortunately they're on a restricted network (and scheduled for replacement in a couple of months) but if they were outside the firewall they'd almost certainly be part of one of the DDOS bot

                • Yeah, the traffic counter they just bought can't do it, but the new ones they purchase next year will have to, and it's about bloody time.

                  ++
                  It's past time for everyone to stop accepting crap that can't be upgraded from vendors that will disappear (or pretend to have never heard of a product you bought from them) in 2-3 years. Amazon and Walmart won't enforce standards, but governments might and they buy enough stuff to move the needle, unlike a few cloud-skeptical nerds choosing not to buy Hue lights or whatever now.

                • The ones they get today CAN do it. The problem is with older stuff that's done maybe in the 90s with no built in security. Of course it depends upon manufacturer. Some new stuff will still have crappy security of course, like pre-shared keys or passwords, but hopefully most will be on the ball and actually hiring security experts and have security as a concern at all management levels. But if someone built a device in the last 10 years without worrying about security then that's a major failure. Having

          • It depends I think on how it's used. If it's a closed network you could argue that it's not IoT. But if it's on the internet, even if that just means a closed network using an IPSEC tunnel for remote access from a different closed network, then it's on the internet and probably can be called IoT. Leased lines are expensive and so many of these are being migrated to the internet, while being secured hopefully.

          • by sjames ( 1099 )

            A depressingly large amount of scada firmware is written with the assumption that it will be connected to a secured private network and so anything on that network is trusted.

            Then some clown connects it to the public net.

            OTOH, consumer IOT firmware is designed to absolutely depend on the mothership so it can be obsoleted at will.

            • Thanks, that's probably the best definition. The informal one I use is IoS = cheap consumer crap that dies when whoever talked you into buying it shuts down their server, SCADA = industrial-grade gear designed to be as indestructible as possible and not dependent on some server in China, but not with security in mind. We've got SCADA gear running here that dates from the 1990s, has never gone down or crashed that I can remember, and is still actively supported by the vendor. Conversely, we have IoS stuff
        • Yes, security on consumer devices are crap, and likely to always remain so since security is an inconvience and inconvenience lowers sales. But in the commercial and industrial world, IoT devices are common and customers there are much more likely to demand security, especially when used for critical infrastructures. Chip makers are starting to get on the ball too, so instead of offering mediocre WiFi or bluetooth based stuff, they're now offering chips with secure key storage, elliptic curve support, abi

  • They need to give NIST time to set up ENT certification (SP800-90B certs independent of FIPS 140-3) before they load them up with IoT stuff. We've been waiting a long time.

    • by nadass ( 3963991 )
      The NIST was typically sufficiently staffed to run many projects in parallel -- "was" because the past Presidential Administration (whose name shall not be mentioned) did not exactly espouse things like "standards" or "technology" or even "institutions" of any sort.

      For those wondering, the final recommendation was made 3 years ago (Jan 2018) and is available here, https://csrc.nist.gov/publicat... [nist.gov]
      • Re:NIST (Score:4, Informative)

        by TechyImmigrant ( 175943 ) on Friday March 19, 2021 @12:55AM (#61174820) Homepage Journal

        The NIST was typically sufficiently staffed to run many projects in parallel -- "was" because the past Presidential Administration (whose name shall not be mentioned) did not exactly espouse things like "standards" or "technology" or even "institutions" of any sort.

        For those wondering, the final recommendation was made 3 years ago (Jan 2018) and is available here, https://csrc.nist.gov/publicat... [nist.gov]

        The spec is written - I should know, I (along with many others) contributed to that spec. The CBC-MAC vetted conditioning component - You can thank me for getting that in there and Prof Dodis for proving it's a good entropy extractor, but 90B entropy justification reports are submitted as part of a FIPS 140 application, specifically because there is no separate entropy certification. There are ACVT certs for SP800-90A, but no such certs for SP800-90B and of course 90C is still in draft form after all these years. 90C is currently undergoing a big update and 90B is undergoing a small update to clean up after I.G. 7.19 and the draft 7.20.

        This is a mess. If you design and sell RNG hardware, you can get a cert for the SP800-90A half of it, but your customer putting the RNG in a FIPS module needs to submit your 90B entropy justification with their FIPS 140 application. With the ENT certs in place (ENT is what NIST is calling it - it's not my name), you as an RNG maker can get both parts certified and your customer can just point to your certs on the NIST website and do their FIPS 140 certification without having to bother you or sign NDAs or any of that hassle.

        • As to the previous administration, yes indeed they did dump on the NIST employees. I have no argument with that.

        • I've been meaning to ask you something.
          I'm familiar with rdrand. Is there an instruction that will get the random value PRIOR to the AES conditioner?

          I noticed something about the corrector and the gambler's fallacy. I was curious to check actual output to see if my thought about what should happen actually DOES happen.

          • >I'm familiar with rdrand. Is there an instruction that will get the random value PRIOR to the AES conditioner?

            Nope. Because that would lead to all sorts of potential security problems. You wouldn't want a program executing that instruction while you were using the random numbers for cryptographic purpose in a separate process or vm on the same cpu.

            But we do make such data available on request, usually for people seeking certification or doing research.

            By "corrector and the gambler's fallacy" are you ref

            • Let me start by saying I'm not suggesting that the RNG is broken in any meaningful way. I'm also aware that you understand it far, far better than I do. I'm merely curious about a behavior midway in the system, before the final output is generated.

              > By "corrector and the gambler's fallacy" are you referring to the research on adversarial entropy sources?

              Here's the basic thought I had. As you probably know, the gambler's fallacy is the idea that if the roulette wheel lands in red 8 times in a row, it's

              • The feedback in the entropy source is to keep the metastable core metastable.

                This leads to a small amount of serial correlation so the longer strings of the same value happen less frequently that they would in a uniform distribution of bits.
                This means the entropy level is not 100%. Then that data goes into an entropy extractor, which is like a distillation process. Dilute entropy goes in, concentrated entropy comes out. No more entropy comes out that in, just like with distillation, no more alcohol comes ou

                • Thanks for that. I had listened to one of your talks a while back and thought how clever that feedback circuit was. Later, I had this thought pop into my head "hey wait a minute ... that's explicitly making it non-random". :)

                  Maybe I'll get your book, because I have an odd fascination with computer randomness. Only thing is, once I start a book I generally don't sleep until I finish it, so I'll need to find a day to devote to random uninterrupted.

                  • It would be a lot less random without the feedback. You need sigma_n > 10*sigma_m. The feedback drags sigma_m down.

                    Be careful meddling with computer randomness - it might take over your career - look at me for example.

  • by ctilsie242 ( 4841247 ) on Thursday March 18, 2021 @11:31PM (#61174714)

    What might be effective is something like UL Listings, where a device has to pass muster in a number of ways, be it having a manifest of the sites it connects to, so firewalls can limit what IP addresses it communicates with to just that list and no other, on up the chain. Some of the main points:

    Security needs to be more than "anti-jailbreak"/DRM. Keeping the user locked out is one thing, but does absolutely nothing against remote threats, especially if the device allows code to be downloaded willy-nilly and executed.

    Least privilege. Why does a light bulb need to talk to 10,000 websites, all around the world? It needs to be able to fetch updates via a pull mechanism like wget or curl, and that's it.

    Analytics. There needs to be a hard-line stance of default opt-out for a device to pass. If it details all end user use and sends it up, it needs to be laughed out of the testing lab. If it tries to cheat, the company should be blacklisted.

    Guarantee that there will be security updates. There should be a guarantee of updates, or some way a third party that is trustworthy can be paid to take ownership of this and get updates out to discontinued products. IoT isn't just some disposable item like a phone, these devices can be online for decades. In fact, I know of machine shops still using CNC stuff that uses a program on MS-DOS to drive their machinery. The equipment has been around since the 1990s... but it still works and does the parts that are needed. In some areas, there needs to be a pledge that there will be 20-50 year support on some IoT devices, or at least make the entire device open source, so it can be user maintainable.

    Repairable. A vertical market device I had, had a battery die. Took the battery out, and the device was rendered inoperable even plugged in. Because of the security chip on the battery, there are no third party replacements, and the maker of the device is not making batteries for that model, so the only way to "fix" things is to buy a new one.

    From there, it would be adding levels of security, like how Sold Secure has Gold, Silver, etc. For example, a bronze level means that the device has a manifest of what sites it communicates with, is guaranteed updates for a year, and after updates are over, will "fail" to a sane, usable mode. A Gold level would mean that the hardware, OS, and chipset is open source, has been audited, line by line, the company has a source code escrow system to ensure the code is released if they fail, a backup signing system if the main root key is compromised, and only fetches from a few hosts or IP addresses code updates, as well as working without issue if on an air-gapped network (allowing updates via a manual method).

    Until some type of testing is done like a UL listing, the IoT market is just going to be a circus with insecure device after insecure device.

    • >What might be effective is something like UL Listings,

      Like the existing security certification industry?
      CAVS, FIPS, AIS, GMT, CC etc. UL happens to be one of the many cert houses that issue certs for those sort of things.

    • by geekmux ( 1040042 ) on Friday March 19, 2021 @01:57AM (#61174874)

      Guarantee that there will be security updates. There should be a guarantee of updates, or some way a third party that is trustworthy can be paid to take ownership of this and get updates out to discontinued products. IoT isn't just some disposable item like a phone, these devices can be online for decades.

      Why exactly do you think you'll be able to enforce support on anyone, for a discontinued product? The capitalist answer is "Here's the new model, what's the problem again?" No matter how expensive, they are considered disposable. The warranty speaks volumes here.

      In fact, I know of machine shops still using CNC stuff that uses a program on MS-DOS to drive their machinery. The equipment has been around since the 1990s...

      Sadly, there's more than a damn good chance that any modern electronics you buy today, is not going to last "decades" anymore. And quite frankly, that CNC machine is probably still more secure than the majority of IoT devices.

      • Re: (Score:2, Informative)

        by Anonymous Coward

        Guarantee that there will be security updates. There should be a guarantee of updates, or some way a third party that is trustworthy can be paid to take ownership of this and get updates out to discontinued products. IoT isn't just some disposable item like a phone, these devices can be online for decades.

        Why exactly do you think you'll be able to enforce support on anyone, for a discontinued product? The capitalist answer is "Here's the new model, what's the problem again?" No matter how expensive, they are considered disposable. The warranty speaks volumes here.

        I like the EU approach of making warranties of fitness at least 2 years long and making the seller responsible if the manufacturer isn't taking returns. This combined with a "supported until" date stamped on every box or online listing (visible before sale) can help retailers and consumers make informed decisions about whom to buy from. E.g. a store may decide not to stock an appliance or telephone whose manufacturer support expires in six months.

      • by AmiMoJo ( 196126 )

        Consumer law in the UK is actually quite good for this sort of thing. It says a product must last a "reasonable length of time", which is ultimately determined by a court on a product by product basis.

        So for example a TV would be expected to last 5-6 years at least, they are not cheap disposable items. If your TV breaks down after 4 years, regardless of any warranty you would expect at least a 20% refund since it only lasted 80% of the minimum reasonable lifespan.

        People got refunds when Sony removed Linux s

    • by AmiMoJo ( 196126 )

      We need routers with a special wifi AP for IoT devices that severely restricts them, e.g. blocking on HTTPS connections and requiring opt-in for all external connections. Setup could be somewhat automated, like say the device provides a URL for a configuration file that has to be signed.

      Mandatory security updates for the reasonable lifetime of the product would be good too. Like say 10 years for a lightbulb or a washing machine, 20 years for a car.

      • What might be interesting is a combination of both. The IoT has a manifest file perhaps tied to the MAC which the router can look up and then assign firewall rules. Or, the IoT maker has some URL that can be copied and pasted into the router to have that manifest file downloaded, shown to the user, and implemented. However, knowing IoT companies, they likely will just allow * in and out, but it is better than nothing.

  • by Anonymous Coward on Friday March 19, 2021 @12:24AM (#61174780)

    Network-capable IoT devices need a "supported until" date printed on their outside box (and included in online listings) so that buyers can decide whether to purchase a phone, router, thermostat, TV, or refrigerator that will expire soon.

    • I'd also like a label for anything that requires an Internet connection to work. Call me old or detached, I'm not much of a gamer, when I bought a PS4 I was kind of shocked that I had to connect it to the Internet and that the copy of The Last of Us that was bundled with it was digital download only. I never would have made those assumptions and considered returning it.

      • by gr8dude ( 832945 )

        This is a good idea and there is ongoing research that aims to design and promote a label that will do that, among other things.

        One design to look at is available at http://privacy-facts.eu/ [privacy-facts.eu] it is focused on privacy; the answer to your "does it require the Internet?" question can be derived from the diagram at the bottom of the label.

        The online version of the label also comes with details related to security, and in addition it covers information about the duration of the support period.

  • You can have the best security lobbying will buy and the NSA can backdoor.
    • This has been tried before. Remember EAL certification? Remember CISCO having top notch certification. Then pesky security researchers got busy. Certification was abused then, and it was always 'closed'. Right now Huawei has been accused of much, but not a shred of evidence produced. And this is the double edged sword, that will bite domestic sellers, selling domestic gear, that has Chinese firmware within. What is needed is good old consumer warranty law,only enforced. Obviously abandoned gear looses ALL p
  • The U.S. government should mandate that all IoT systems it uses are developed in Rust and should use a micro-kernel OS.

    This is the only way to secure systems which are currently riddled with memory bugs due to them being written in C / C++.
  • Every device needs to be updatable by remote means by an 'authority'.

    Each device must be uniquely identifiable.

    At least it is only mandated for government purchased devices. For now, anyways.

  • Working in this domain since 2014, this is a step in the right direction! The best thing is that this bill targets all IoT systems, and not only consumer IoT.

    However, it takes a very customer-centric approach, expecting that IoT manufacturers will follow NIST standards to get access to a huge pile of customers.
    The NIST standards are quite good (NIST IR 8228, 8259 and its annexes): they use recognized principles for IoT security: a risk-based approach, secure-by-design principles, a baseline completed by sec

    • by Whibla ( 210729 )

      If you are interested by this topic, I published a panorama of IoT cyber security regulations on GitHub: https://github.com/cetome/pano... [github.com].

      Interesting, thanks. If I had one minor niggle (and yes, I know I can download the table ;-)) it's that the row headings aren't fixed, i.e. they scroll with the table, hence vanish when viewing countries in later columns.

      • by ceced ( 582790 )

        Interesting, thanks. If I had one minor niggle (and yes, I know I can download the table ;-)) it's that the row headings aren't fixed, i.e. they scroll with the table, hence vanish when viewing countries in later columns.

        Yep it's how GitHub converts Markdown tables. Very annoying with the horizontal scrolling too.
        There's a PNG available and if you have time in hand, you can download the script to generate your own HTML file and augment it.

        I will try to fix that and make the HTML available directly on GitHub.

  • Good to know the State is finally trying to do something, pushing developers (although not that much) to improve the security [slashdot.org] of this technology. It was about time!
  • There's some nice ideas here, but a brain fart I haven't seen yet is this: upon requesting market entry for a device, the requesting company (manufacturer, usually) will have to offer the source code, plus documentation on how to compile plus upload it to the device, to the governing consumer oriented body. Each update will have to be delivered as well. Whenever no update is delivered for 6 months, all data gets made public. The company goes bust? Same thing.
  • So serious, in fact, that they've mandated a committee to study the problem, and that committee is going to issue a set of voluntary guidelines for manufacturers to follow should they ever decide they want to.

  • Comment removed based on user account deletion
  • I wish the UK government would also consider this problem. But it seems that it just wants to follow us everywhere. Do you know how many cameras we have on the streets? I think they can even recognize our faces. That's why I prefer wearing a mask, not only because of the Covid. I also care about y safety. I have an Ajax security system installed at my house. I trust this brand as they produce high-quality professional products to provide a high level of security! All the devices work together and can be ope

A complex system that works is invariably found to have evolved from a simple system that works.

Working...