What the IoT Cybersecurity Improvement Act Means for Critical Infrastructure Companies
January 06, 2021
The IoT Cybersecurity Improvement Act was officially signed into law on Dec. 4. Recognizing a lack of uniformity in identifying vulnerabilities and supply-chain risk introduced by Internet of Things (IoT) devices, the act seeks to replace today’s largely ad-hoc approach with specific standards and guidelines. Specifically, the new law calls for the development of IoT device security guidance by the National Institute of Standards and Technology (NIST) to be communicated and enforced by the Office of Management and Budget (OMB).
Some of the most important provisions include:
Within 90 days, NIST must issue standards and guidelines for the use and management of IoT devices by federal agencies, including minimum information security requirements for managing cybersecurity risks associated with IoT devices.
Within 180 days, NIST must publish guidelines on the disclosure process for security vulnerabilities relating to IoT devices operated by, or on behalf of, a federal agency.
OBM must conduct a review of federal government information security policies and make any necessary changes to ensure they are consistent with NIST’s recommendations, as well as develop and implement new policies necessary to address security vulnerabilities.
The bottom line: Any IoT device purchased with federal government funds must meet new, minimum security standards—and the deadlines are just a few months away.
While aimed at government agencies—and the vendors and service providers they work with—critical infrastructure companies across all sectors would be wise to take their cues from the new law to enhance and formalize their IoT security best practices.
IoT devices are becoming essential to operational technology (OT) environments. In fact, Gartner’s Market Guide for Operational Technology Security included a survey showing that “a staggering 93% of respondents stated that the adoption of the Internet of Things (IoT) is likely to augment or replace at least some of their heritage OT monitoring and control systems in their organizations during the next 12 months.” Critical infrastructure companies need solutions that can identify and track threats from IoT devices that cross IT and OT boundaries.
Meeting IoT Cybersecurity Improvement Act Guidelines with the CrowdStrike-Claroty Joint Solution
Claroty’s new joint solution with CrowdStrike, a leader in cloud-delivered endpoint protection, meets this challenge. The solution brings together The Claroty Platform’s OT-asset discovery and threat-detection capabilities with CrowdStrike Falcon’s leading endpoint telemetry. This includes telemetry from any endpoint device that connects to the IT network from outside an organization’s firewall—IoT devices, along with laptops, tablets, mobile devices, point-of-sale (POS) systems, switches, digital printers, and others. When used in combination, the solutions deliver full-spectrum IT/OT/IoT visibility and detection capabilities for threats that cross the IT/OT boundary.
The CrowdStrike-Claroty Joint Solution helps organizations solve a core challenge the act is designed to address—proactive risk management. Proactively managing risk requires being able to examine and address risk from different yet complementary perspectives to bring context to the overall security of an OT environment. Critical to accomplishing that is having a clear understanding of an organization’s asset risk posture and network traffic.
Understanding asset risk posture begins with visibility into industrial control system (ICS) networks and endpoints, and centralizing IT, OT, and IoT asset information without the need for added connectivity. This way, human-machine interfaces (HMIs), historians, and engineering workstations (EWs) can be enriched with information about IT threats and vulnerabilities, improving the security of these assets without impacting productivity or downtime.
Contextual security information related to network traffic is also key to identifying and tracking threats that cross the IT/OT boundary. Many attacks that impact OT environments begin on the IT network; defenders therefore require threat signatures for ICS devices and OT networks as well, in addition to those built for IT systems The CrowdStrike-Claroty Joint Solution secures the converged IT/IoT/OT enterprise, without the need for signature reconfiguration or manual updates to accelerate detection and response.
Given that IoT devices are quickly becoming a hallmark of modern OT environments and an accelerator of competitive advantage, let’s take this opportunity to learn from the act’s guidelines and get ahead of the risk that IoT devices can introduce to the OT environment.