Last week, the US Congress officially signed a bipartisan law, The Internet of Things Cybersecurity Improvement Act of 2020, or the IoT Cybersecurity Improvement Act of 2020. Sponsored by Reps. Will Hurd (R-Tex) and Robin Kelly (D-Ill), the law was made to establish that the government purchases only secure devices and closes existing vulnerabilities. The legislation mostly affects U.S. federal government applications, vendor partners, equipment manufacturers and stakeholders that deal with the federal government. However, this law has the potential to have ripple effects that extend beyond security safeguards for government entities, with those in the private industry and consumers more than likely also benefiting from new connected device standards.
- Cybersecurity Threats and Government Data Breaches
- New Law Requirements Regarding IoT Patching
- What Does This Mean for the Government?
- How Can KernelCare for IoT Help Enterprise IoT Security?
- Timely Patching is the Key to Compliance
Cybersecurity Threats and Government Data Breaches
According to a recent Accenture report, attackers don’t just aim to steal data, but destroy it as well. Destroying data through malware such as ransomware could potentially have a bigger impact on reliability, productivity, and data integrity. The survey found that attacks have increased by 72% in the last 5 years and the cost for a breach increased from $11.7 million to $13 million. Ponemon’s Cost of a Data Breach research shows that it takes an average of 280 days to identify and contain a breach -- meaning that attackers have access to data for almost a year before the organization responds and remediates the compromise.
ABI Research predicted IoT connections would exceed 23 billion across all major IoT markets by 2026 and face incessant and continually evolving cyber threats. These threats force implementers and IoT vendors to embrace new digital security options and drive investments in secure device authentication services, with that market expected to reach $8.4 billion in revenues by 2026. Meanwhile, Nokia's “2020 Threat Intelligence Report" found that IoT was responsible for 32.72% of all infections observed in mobile networks, up from 16.17% in 2019.
In the past 10 years alone, the top 10 governmental data breaches ended up compromising 348 million American individuals’ personal data.The personal data compromised included Social Security numbers, dates of birth, driver’s license numbers, credit and debit card numbers, home addresses, phone numbers, voter registration and party affiliation information, and patient records and prescriptions. While some of these data breaches were from human error, some were because data was stored on a public server, malfunctioning hard drives, unencrypted data, and breaching a government health website.
This data is yet another proof that the security of IoT devices is becoming paramount in assuring the government, enterprise and end-user who interact with IoT devices that their personal and corporate information is fully protected. Globally, regulators are increasingly requiring and verifying that devices are as secure as possible before and after product release. For example, in the United States, the Food and Drug Administration (FDA) has published guidance that outlines requirements for medical devices that mandate many facets of device development and maintenance.
New Law Requirements Regarding IoT Patching
The federal government officially signed the IoT Cybersecurity Improvement Act into law on December 4, 2020. This law is meant to ensure that only secure devices are purchased by the United States government and closes any existing vulnerabilities. The law was put into effect with the intent of making the government’s IoT infrastructure more secure, but could impact private industries and consumers with higher device security standards.
The Cybersecurity Improvement Act does not set the security standards, but is instructing the National Institute of Standards and Technology (NIST) to address. While the security standards have not yet been created or released, whatever is determined will have a profound impact on the private sector and consumers.
The NIST has 90 days from the signing of the law to develop standards and guidelines on the security of IoT devices that are controlled or owned by a federal agency, and must be consistent with its other efforts for IoT devices, particularly with development, and identity, patching, and configuration management.
Following the initial standards, the NIST has 180 days after the law was signed to create guidelines for reporting, publishing, coordinating, and receiving any information regarding security vulnerabilities related to federal agencies and will apply to any contractors or vendors to the federal government.
The Office of Management and Budget (OMB) has been tasked with developing and overseeing the implementation of the policises, principles, standards, or guidelines as necessary to address security vulnerabilities of information systems as provided by the NIST.
The bill also requires the NIST to review and revise the standards and guidelines every five years, as appropriate, and the OMB should update their policies or principles to be consistent with the NIST revisions.
This new law states that “An agency is prohibited from procuring, obtaining, or using an IoT device if the agency determines during a review of a contract that the use of such device prevents compliance with the standards and guidelines, subject to a waiver where necessary for national security, for research purposes, or where such device is secured using alternative effective methods.”
Rep. Will Hurd (R-Tex), who backed The Internet of Things Cybersecurity Improvement Act of 2020, said in a statement “If you're going to introduce a new widget to the federal infrastructure with known vulnerabilities, those vulnerabilities should be addressed.”
What Does This Mean for the Government?
The United States government has kept abreast of the security vulnerabilities out there in regards to the systems, vendor partners, equipment manufacturers and stakeholders they work with. In addition to The Internet of Things Cybersecurity Act of 2020, the government has released other legislation that helps combat potential hacking attempts.
One of the ways that they have worked within this technological world to safeguard their systems and information, is by requiring their vendors to become FedRAMP compliant. FedRAMP is the Federal Risk and Authorization Management Program. This government program “provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP empowers agencies to use modern cloud technologies, with emphasis on security and protection of federal information, and helps accelerate the adoption of secure, cloud solutions.”
The administration in 2018 released their National Cyber Strategy and stated: “New threats and a new era of strategic competition demand a new cyber strategy that responds to new realities, reduces vulnerabilities, deters adversaries, and safeguards opportunities for the American people to thrive. Securing cyberspace is fundamental to our strategy and requires technical advancements and administrative efficiency across the Federal Government and the private sector. The Administration also recognizes that a purely technocratic approach to cyberspace is insufficient to address the nature of the new problems we confront. The United States must also have policy choices to impose costs if it hopes to deter malicious cyber actors and prevent further escalation.” The government’s National Cyber Strategy ensures that they are:
- Securing federal networks and information
- Securing critical infrastructure
- Combating cybercrime and improving incident reporting
- Fostering a vibrant and resilient digital economy
- Fostering and protecting United States ingenuity
- Developing a superior cybersecurity workforce
- Enhancing cyber stability through norms of responsible state behaviour
- Attributing and deterring unacceptable behaviour in cyberspace
- Promoting an open, interoperable, reliable, and secure internet
- Building international cyber capacity
How can KernelCare for IoT Help Enterprise IoT security?
Many devices driving industrial automation systems must be in service 24x7x365, and organizations should always update an IoT device for better cybersecurity. But it becomes a challenging task when it comes to millions of devices. IoT devices running on the Linux kernel need their security to be watertight. All of them should be updatable. And just as importantly, organizations need to be able to patch them as fast as possible.
Rebooting is the method that most companies use to apply security updates. But because rebooting is a hassle, kernel patching is always delayed, for weeks or even months. If the government or enterprise are rebooting the device to close the vulnerability in the IoT device Linux kernel, then they are not nearly as secure as they could be.
KernelCare for IoT provides live patching for Linux kernels in IoT devices without disruption of ongoing processes and operations.
KernelCare IoT is designed for low power, lightweight, arm-based chipset devices but can work on Intel-based devices like edge gateways as well. The new patches are developed, compiled, and tested by the KernelCare team and are typically released within a couple of days of new vulnerabilities going public, keeping your devices secure. A tiny kernel module on the IoT device loads the new secure code into a partition, freezes all processes while the new code is shimmed in memory, then unfreezes all processes and the device continues functioning. This all takes nanoseconds, so no interruption in service or failover condition is caused. The patches can be delivered from within the IoT network infrastructure however needed - over a private network, over the air (OTA), or via public internet from a cloud server if the devices have access.
It is also important to note that each new patch we build is an atomic binary. That means each new patch mitigates all prior vulnerabilities for the given kernel version it was built for. This method is much more secure and stable than stacking new patches on top of old ones, and it has allowed many KernelCare customers to run devices for 6+ years without rebooting. 2,200+ consecutive days of operation, all vulnerabilities patched during that time, and no downtime. Today those customers continue to operate in this manner and will for years to come. This is especially important since many IoT system specs require a service horizon of 20+ years.
Our KernelCare IoT engineers will work with each client to configure the best ways to receive, store, and deliver patches based on the client’s individual environment. Best of all, KernelCare IoT can be deployed to existing operational devices without stops or restarts as well. So retrofitting existing networks and updating devices that may have been running for years without patches can be done very quickly and easily.
Timely Patching is the Key to The Internet of Things Cybersecurity Improvement Act of 2020 Compliance and Safe Government and Business
More companies are shifting to utilizing cloud-based platforms for storing, networking, and processing power, but that has the potential of leaving them open to vulnerabilities if their platforms are not maintained. IoT devices and infrastructure are especially vulnerable because they exist outside of the main network and are not designed with security in mind, making them easy for hackers to gain access to sensitive information. These IoT vulnerabilities can result in exposure for:
- Operating Systems—Each OS open port and available protocol comprises an attack surface area. The code on IoT microcontroller units (MCUs) runs on a “bare metal” basis, with no supporting operating system. They may have many ports open by default.
- Applications—An IoT System on a Chip (SOC) may be running multiple apps programs, each with the potential for exploitable vulnerabilities.
- Dependencies—Apps and OS’s in IoT devices may have external dependencies and libraries.
- Communication—The IoT is vulnerable to communications-based attacks such as the “man-in-the-middle” and “replay attacks.”
- Cloud hosting—The IoT’s supporting cloud infrastructure, with its connected servers, is also an attack surface.
- User access—Access to devices is a major point of vulnerability, especially if attackers can impersonate users without having to go through the corporate network.
You can combat these vulnerabilities by being aware of, and implementing, the best practices for IoT compliance, including live patching. Live patching allows you to apply patches to your Linux kernel, which enhances your security and compliance without downtime or the need to reboot your system.
While IoT devices are still fairly new, they can present a significant risk if they are not updated or patched regularly. Keeping IoT devices always compliant with IoT Cybersecurity law requirements, up-to-date and protected from possible data breaches is a job of KernelCare for IoT. Contact us today, or try KernelCare for IoT for free today, to see what we can do for you.