Two laws ensure IoT devices have reasonable security protections
- SB-327 and AB-1906 require developers of IoT devices to integrate security measures early in the design phase
- The legislation will have a national impact since setting up a California-only supply chain and customer support operation would be cost prohibitive for most IoT technology vendors
- Lawmakers in Congress are currently considering The Internet of Things Cybersecurity Improvement Act
California is leading the way in creating baseline cybersecurity standards for the country.
The laws, known as SB-327 and AB-1906 require developers of IoT devices to integrate security measures early in the design phase, California Assemblywoman Jacqui Irwin told Icons of Infrastructure. Irwin is the author of AB-1906.
The laws apply to all devices that connect directly or indirectly to the internet, and have an IP or Bluetooth address. Both also direct manufacturers to provide reasonable security features to connected devices, and require connected devices to come with unique passwords that users can change.
Irwin said that vulnerable IoT devices can be taken over to launch DDoS attacks such as the Mirai Attack, which brought down several prominent websites in 2016. Moreover, the lack of basic security measures on IoT devices can compromise consumer privacy.
Some of the safeguards in SB-327 and AB-1906 are applicable to major infrastructure projects, according to Don Dingee, managing partner at Texas-based marketing and data analytics firm STRATISET.
“Industrial and government IoT applications often use non-IP and non-Bluetooth protocols at the edge, and such sensors and devices would fall out of scope,” he said. “Unique admin passwords and authentication PINs are always prudent measures.”
Irwin noted that it is likely that the California legislation will serve as a model for IoT regulations throughout the country. She added that she has, in her capacity as the co-chair of the National Conference of State Legislatures’(NCSL) Cybersecurity Task Force, discussed the legislation with other task force members, and that many have expressed an interest in running similar bills in their states.
Dingee said that the legislation will have a national impact since setting up a California-only supply chain and customer support operation would be cost prohibitive for most IoT technology vendors.
“IoT device designers and implementers see California as an early adopter both in driverless technology and as a state that is going to spend money on its smart grid infrastructure,” he said. “When you are designing your product, why not make it to fit California’s requirements, knowing that your product is going to basically fit the requirements in any other state?”
Jonathan Fairtlough, managing director of the cyber risk practice at Kroll, noted that the state’s massive technology presence gives it instant regulatory legitimacy.
“The size of the California market, the advanced nature of California regulations, the state’s focus on smart grid test technologies—those are all key factors,” he said. “I think the market will make this law, which although it’s really enforceable only in California as structured for infrastructure entities, it will really become the de facto standard.”
“When you are designing your product, why not make it to fit California’s requirements, knowing that your product is going to basically fit the requirements in any other state?” — Don Dingee, managing partner STRATISET.
Lisa Ann Rapp, Director of Public Works for the city of Lakewood, Calif., said that while the legislation will eventually help to make the nation’s connected infrastructure safer in the long run, it will take a while for the improvements to work their way into the infrastructure.
“Additional legislation may be needed because equipment is manufactured all over the U.S. and the world, and this legislation looks only able to affect equipment manufactured in California,” Rapp said. She also serves on the American Public Works Association’s Board of Directors. Her position is Director-At-Large, Environment Management.
Lawmakers in Congress are currently considering The Internet of Things Cybersecurity Improvement Act. The bill, which was introduced by Sens. Mark R. Warner (D-Virginia) and Cory Gardner (R-Colorado) would require any firms that do business with the federal government to ensure that their connected devices are able to be patched, come with passwords that can be changed, and are otherwise free of known security gaps and vulnerabilities.
Warner’s Press Secretary Nelly Decker said that the current draft does not reach agency-awarded grants for local government infrastructure projects, but that legislation covering those projects must be considered.
“Sen. Warner is working in parallel with large federal agencies to see if they would adopt some of these regulations on their own,” she added.