The IoT Cybersecurity Improvement Act

The IoT Cybersecurity Improvement Act requires the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) take specified steps to increase cybersecurity for Internet of Things (IoT) devices. In practice, this is essentially a mandate that NIST guidance needs to be followed for IoT devices that will relate to government activity. NIST guidance covers a number of best practices that SecEdge advocates for IoT device security, including:

  • A hardware root of trust (a unique identifier that cannot be changed)
  • A robust device secure boot process that protects all data and software related to the device
  • A mechanism to provide secure device firmware updates, either locally or over-the-air
  • A process that enables the device to recover if it fails in the field
  • Methods for key and certificate management
  • Protection of intellectual property (for example, device software or artificial intelligence / machine learning models)

Prior to this law, our customers frequently asked us for references or standards to follow regarding these types of practices. Now that the first such set of practices is recommended, we expect to see the requirements make their way into the procurement process for government-related industrial communications systems (for example, the defense market). It is expected to be fundamental way to reduce risk and liability in IoT projects.

As such, the first entities to follow the new mandate will be product and integration companies that do business with the government. It is also expected that these companies will extend the practice and refer to NIST guidelines for solutions in other markets as well, including industrial automation, energy, medical devices, building automation, and video surveillance. One market where this may not see adoption as quickly is the consumer market, where hard government contract requirements may not exist—but it remains a good reference for vendors looking to provide secure solutions from the device to the cloud.

At SecEdge, we provide a software solution that addresses these requirements, to demystify what it means to have a secure IoT solution.  We expect to see acceleration of the adoption of secure device concepts as the law goes into effect.

About the Author

Philip Attfield, Chief Technology Officer

Philip Attfield

Philip Attfield is the CTO of SecEdge Inc. He brings a strong background in computing, networking, security and systems modeling. He has more than 20 years of industry experience in large enterprises and small entrepreneurial firms. Starting his career at Nortel, Phil was a member of its scientific staff and developed software tools and in-house products for modeling, synthesis and verification of telecom and network equipment hardware.