Skip to main content

IoT Security – what does reasonable security look like?

January 1, 2020 marks the official and unequivocal entry into the era of connected device cybersecurity regulation. The states of California (Senate Bill No. 327) and Oregon (House Bill No. 2395) have passed laws that oblige connected device manufacturers to secure any device or physical object which is able to connect to the internet directly or indirectly with “reasonable security features.” While California and Oregon are the first to legislate, others states around the country are not far behind, with Illinois, Massachusetts, Maryland, New York and Vermont considering similar laws.  

The future of  Internet of Things (IoT) security regulation is still unknown. But California and Oregon have certainly set new expectations by making manufacturers responsible for securing their connected devices from unauthorized access, destruction, use, modification or disclosure. These laws further specify that security features should be appropriate for the nature and function of the connected device and the type of information it may collect, store or transmit.  

Additionally, for a specific subset of connected devices, California and Oregon have stipulated that manufacturers include “reasonable security features.”   That is, for devices that can connect and have a means of authentication outside of a local area network, the laws call for inclusion of at least the following attributes: 

  • a pre-programmed password unique for each connected device, or; 
  • requiring a user to generate a new means of authentication before granting access to the connected device for the first time. 

California and Oregon have both taken similar approaches to IoT cybersecurity regulation, however their two laws do have some differences.  Notably, California has limited the scope of the law to only those connected devices that are assigned an Internet Protocol or Bluetooth address while Oregon utilizes a broader definition.  According to the Oregon law, a connected device is any device that has an Internet Protocol or “another” address, leaving the definition open for other types of connectivity, and focuses on the use case, specifically for personal, family and household purposes.  

Unfortunately the direction set forth in both laws falls short of effectively communicating to manufacturers what exactly is required in order to meet the threshold of reasonable security features. The language used is ambiguous and lacking in practical guidance, making it difficult for manufacturers to determine what reasonable security features are. 

Implementing only authentication and password features is insufficient to meet the security objectives outlined in both laws. Devices can be exposed to significant risks and threats if for example their communications security does not conform to industry standard protocols or if the software used in the device is not checked and tested for previously disclosed vulnerabilities. All of this could lead to unauthorized access, disclosure, destruction or modification of a device or the data it contains. 

Despite the vagueness and ambiguity of the bills, they are indicative of the evolving trends in securing connected devices which cannot be ignored and will impact manufacturers across the globe. In order to best understand what are considered reasonable security features it is imperative to look at emerging industry consensus, for example as reflected in the NIST Core Baseline, which is driving a common understanding of “reasonable security” at baseline level. 

UL introduces the IoT Security Rating as a solution for manufacturers and buyers of connected devices. The UL IoT Security Rating assesses and verifies security features of a device, in line with and mapped to emerging industry consensus as covered in various security best practices and frameworks. These best practices would include: 

  • Having a vulnerability management process in place 
  • Performing regular security testing 
  • Secure and authenticated software updates 
  • Using industry-accepted cryptography and key management 
  • Using industry-accepted protocol security 
  • Involving a third-party to test and communicate devices’ security features

UL’s IoT Security Rating addresses security due diligence and offers manufacturers a means to differentiate their products based on security through a UL Verified Mark security label. In addition, the IoT Security Rating supports manufacturers by helping to demonstrate meeting the threshold of reasonable security features such as required in California, Oregon and other forthcoming regulations. 

Stay tuned for our next blog post which will cover how the IoT Security Rating maps to industry security best practices and frameworks globally. 

Want to learn more about UL’s IoT Security Rating? Speak with an expert today!