Earlier this month, a bipartisan group in the U.S. Senate announced plans to introduce legislation that addresses security vulnerabilities in IoT devices used by the federal government. The measure includes four prerequisites for any IoT device used in the public sector:
- Devices must be patchable
- Devices must meet industry security best practices
- Devices must have changeable passwords, and must not be deployed with default passwords
- Devices must not have any known security vulnerabilities
One of the sponsors of the proposed legislation, Sen. Mark Warner, told Reuters that these relatively obvious mandates point to a broader concern: Many providers fail to meet the basics. From the article:
“’We’re trying to take the lightest touch possible,’ Warner told Reuters in an interview. He added that the legislation was intended to remedy an ‘obvious market failure’ that has left device manufacturers with little incentive to build with security in mind.”
Whether or not the bill passes is up for debate, but the introduction of the legislation suggests – if not confirms – that security concerns have risen to the highest level of visibility. With IoT moving from novelty to a nearly non-negotiable aspect of business in almost every industry, security is becoming top of mind for an increasing number of businesses.
It wasn’t too long ago that questions about IoT security began and ended with, “Do you use encryption?” If the answer was yes, a select few would follow up with, “What kind?” And it was on to the next topic. That’s no longer the case. Because of high profile security breaches, organizations are increasingly security-savvy and demand more information about how their most critical information is being secured. And rightly so.
When working with an IoT provider, here are critical questions you should be asking:
- Are default user names and credentials changeable? They have to be. There’s just no way around it (and clearly, the sponsors of the aforementioned bill agree).
- How easy is it to disable services and functionality we don’t need? You never want more potential openings for hackers to exploit, and leaving unused functionalities open offers access. It’s like leaving a door you never use or pay attention to unlocked.
For full story, Please click here.