The “Internet of Things” (IoT) is a term that has been used almost as frequently as the term “cyber.” IoT has now made it to the U.S. Congress, which recently approved the IoT Cybersecurity Improvement Act. This is even more relevant in our current COVID environment, with more people working remotely than ever before.
The Act charges the National Institute of Standards and Technology (NIST) to issue guidelines to manufacturers regarding the standards needed for IoT devices. This includes standards for the development, patching, and configuration of IoT devices. Additionally, the Act also requires government entities to only purchase IoT devices that meet the above NIST standards.
If you are a manufacturer, the guidelines generally suggest capabilities that you will have to meet to improve the security of the IoT devices. The NIST recently published the NISTIR 8259, which established activities to help manufacturers consider their customer’s cybersecurity needs, and 8259A to help establish core baseline capabilities for devices.
1) Identify expected customers and users, and define expected use cases
2) Research customer cybersecurity needs and goals
3) Determine how to address customer needs and goals
4) Plan for adequate support of customer needs and goals
5) Define approaches for communicating with customers
6) Decide what to communicate to customers and how to communicate it
1) Device Identification (the device has a unique identifier)
2) Device Configuration (software can be changed)
3) Data Protection (device can protect against unauthorized access)
4) Logical Access to Interfaces (access is restricted)
5) Software Update (software can updated by authorized entities)
6) Cybersecurity State Awareness (device can report on its state)
If you're not a manufacturer but a company that relies upon IoT devices, the Act will not impact you for a while.
Although following the above recommendations will certainly help limit your exposure to a cyber incident, they can still happen, and that is where having the right cyber insurance policy is important. Unlike others in the industry, Coalition’s policy covers IoT devices. This means if there is an incident (e.g. ransomware) that originates from one of these devices, our policy will likely cover it and cover you.
Don’t forget, if you are a policyholder, you can always speak with our security team to get specific recommendations for all of your devices.