Security and Connectivity for IoT Devices

Menu

IoT Cybersecurity Improvement Act 2020 – The Details

Home / IoT Cybersecurity Improvement Act / IoT Cybersecurity Improvement Act – The Details

Let's Talk IoT Security

Implementing IoT device security can be a challenge. Let us help you by sharing our proven framework for integrating a proactive security approach into your design. Click the button below to schedule a one-on-one web conference to discuss your security needs.

Let's Talk IoT Security

Implementing IoT device security can be a challenge. Let us help you by sharing our proven framework for integrating a proactive security approach into your design. Click the button below to schedule a one-on-one web conference to discuss your security needs.

The Details

The IoT Cybersecurity Improvement Act of 2020 is intended to create value for all stakeholders:

  • The government establishes a consistent security framework that ultimately protects everyone who benefits from IoT ecosystems.
  • IoT manufacturers get clear direction regarding their security obligations, and are therefore less susceptible to liability and their brands being tarnished.
  • Organizations that deploy IoT devices, and their customers, can be assured their data is and personal information is secured.

The Cybersecurity Act covers more than just the technology to achieve this level of compliance and confidence. The act is all-encompassing, and addresses both technical and non-technical requirements and capabilities, including processes and procedures.

Technical and Non-Technical Details

Technical requirements are spelled out in the act’s NISTIR 8259 A document that deals with core, baseline capabilities. This documents offers high level recommendations to IoT manufacturers and describes how everyone benefits as a result.

NISTIR 8259 A does not itself provide specific implementation details – it references technical documents for this information. As an example, for secure device identification and configuration, it points to NIST SP 800-213, which points to NIST SP 800-53 Rev 5, which in turn references FIPS Validated Cryptography documentation.

Taken together, these materials provide all the specifications and requirements that underpin compliance.

Technical Capabilities

Device Identification

This is the immutable Root of Trust of a device, confirming that it is valid and has not been compromised in any way.

Device Configuration

Instructions that describe how devices can be securely configured – how configurations are entered into a device, who has the authority and capability to make configuration changes, how configurations are securely stored so they cannot be changed, etc.

Data Protection

Ensuring that data is secure, whether it is in motion, at rest or in use. As a general rule, data should be decoded as late as possible and protected using the appropriate levels of encryption while it is being transmitted as well as stored.

Logical Access to Interfaces

Requirements associated with device monitoring and proactive, corrective action when potential breaches or disruptions are detected. Also describes practices for network and user interface access.

Software Updates

Making sure mechanisms are put in place for secure remote updates – locked down software and firmware, remote update process, digital signatures, cryptography, etc.

Cybersecurity State Awareness

IoT devices must have a self-awareness to recognize when they have been compromised so the necessary security protocols can be enacted. Trigger mechanisms when breaches are detected initiate alerting and a reporting path, and the appropriate actions to eliminate the source of the breach (e.g. malware).

Non-Technical Capabilities

The NIST guidance also includes four non-technical requirements, over and above the technology capabilities, that play a significant role in the securing of IoT ecosystems.

Documentation

IoT device manufacturers must provide documentation that not only includes a “how-to use guide”, but also a cybersecurity bill of materials and characteristics (e.g. what type of cryptography is built into the device, what version of TLS is being used, what are the origins of the cybersecurity components).

Documentation encourages manufacturers to provide details regarding security measures that have been built into the IoT device and ecosystem.

Information and Query Reception

Deployed IoT ecosystems are heterogenous as they contain various device types and versions of hardware and software. Manufacturers are therefore required to respond to queries about the components deployed in the network. A database must be maintained so that manufacturers can effectively respond to requests for information, including a complete “pedigree” of the cybersecurity and device information .

Information Dissemination

Manufacturers must have systems in place to proactively disseminate information about version updates, breaches, potential vulnerabilities, etc. This information must be shared with the IoT manufacturer’s customers and the customer’s customers so all stakeholders are made aware of security issues that may affect them.

This capability has a direct impact on how an IoT manufacturer’s brand is perceived.

Education and Awareness

Availability of educational materials to inform end users about how to safely and effectively deploy the IoT technology, and about the security capabilities and processes that have been incorporated into the devices.

IoMT Devices Security: Ensuring Patient Safety & Privacy

Dive into the critical aspect of securing Internet of Medical Things (IoMT) devices, a cornerstone of healthcare innovation, in our insightful article by Loren Shade on embeddedcomputing.com. This article sheds light on the unique risks that IoMT devices face,...

Securing the Future of Healthcare: IoMT Device Protection

Explore the IoMT risks associated with medical devices and the countermeasures IoMT device manufacturers can take to ensure patient safety and privacy in our guest article written by Loren Shade on embeddedcomputing.com. Read the Article Allegro highlights the...

Allegro Software Wishes You Happy Holidays

Allegro Software wishes you a Happy Holidays and a wonderful New Year. We appreciate your support and look forward to serving you in 2024. Our team will be monitoring emails and inquiries throughout the holidays, please reach out if you have questions or need...

Best Practices for Managing IoT Related Risks

Allegro’s “Best Practices” document addresses the topic of IoT security related risks by taking a closer look at Critical Requirements and Functional Implementation.

7 Key Elements of Proactive IoT Security

All types of Internet of Things (IoT) devices are under attack. They are routinely recruited as unwitting members of botnets used for Distributed Denial of Service (DDOS) attacks, hosting various malware, and extracting sensitive data. Why are hackers drawn to these...

Open Source Issues in Mergers and Acquisitions

Open Source Issues in Mergers & Acquisitions In a merger or acquisition in which a technology company is the target, the target company’s software is often a material – and perhaps even the principal – asset of the deal. Often, this software was developed using...
Our Resources
FIPS Validation: The Key to Medical Device Security

FIPS Validation: The Key to Medical Device Security

FIPS validation is crucial for securing medical devices, a key concern for healthcare technology. Get key insights on IoMT requirements for implementing cryptography and more on Embedded Computing Design. This insightful article delves into the importance of adhering...

read more

Easily Fulfill Technical Capabilities Using Allegro’s IoT Security Components

Download Allegro’s Playbook

  • This field is for validation purposes and should be left unchanged.

Contact Us Today

  • This field is for validation purposes and should be left unchanged.