Introduction. On Nov. 18, 2020, the Senate passed the IoT Cybersecurity Improvement Act of 2020 (previously passed by the House of Representatives on Sept. 14, 2020). As of this article’s writing, the bill was being sent to President Trump to be signed into law. The IoT Cybersecurity Improvement Act of 2020 (Act) is significant as it is the first law to address IoT.
Internet of Things Defined. Some of you may be wondering what IoT is. IoT refers to a system of interrelated, internet-connected objects that can collect and transfer data over a wireless network without human intervention. The objects are those that are used in our everyday life, both at home and the workplace.
Impact on Financial Institutions. The increasing use of the internet has made the internet a computerized, networked and interconnected world. Billions of devices are used in IoT in every major industry, including financial institutions (i.e., smartphones, laptops, tablets, etc.). What areas does IoT impact? Pretty much everywhere in the operations of a financial institution: loans, collaterals, borrowers, mortgage loans, online payments, loan documents, loan details, vehicle loans, impairments, depreciation, etc. IoT has already been used to personalize customer service, improve decision making with the increased information (i.e., credit risk assessment), real-time data gathering (provide services more timely), monitor online activities of customers, mobile payments and many others.
So what is the issue? A large number of devices using IoT (billions) are also attack points for security threats. While there have been numerous security guidelines and best practices related to combating cyber events, the security of the IoT applications is the responsibility of the developers of those applications. While some developers are doing a good job building secure products, the pending new law will discourage others from taking shortcuts. Financial institutions are not the only industry with security issues to address as it relates to the use of IoT. For example, the health care industry uses IoT in insulin pumps, defibrillators, etc. The automobile industry utilizes IoT in their vehicles. Security issues in any industry could result in devastating results, including data theft, privacy invasions, DDoS attacks, changing the amount of insulin pumped, etc. As in other areas, security needs to be a top priority when utilizing IoT.
IoT Cybersecurity Improvement Act of 2020. The Act establishes minimum security standards for IoT devices owned or controlled by the federal government and other purposes. Many see the Act as the first step in securing the billions of devices that will join the internet over the next few years and for the billions of devices already connected to the internet. Once signed into law, government agencies will be required to only obtain devices that meet minimum information security requirements. The Act indicated the requirements are to be set by the National Institute for Standards and Technology (NIST). NIST already published the IoT Device Cybersecurity Capability Core Baseline (NISTIR 8259A) in May 2020. NIST also published NISTIR 8259 titled Foundational Cybersecurity Activities for IoT Device Manufacturers. In this article, we are focusing on NISTR 8259A.
The objective of NISTIR 8259A was to provide all organizations a starting point for IoT device cybersecurity risk management. NISTIR 8259A lists the baseline “capability” that IoT devices should support. NISTIR 8259A referenced the baseline as “The Device Cybersecurity Capability Core Baseline for Securable IoT Devices” that included six capabilities:
- Device Identification — The IoT device can be uniquely identified logically and physically.
- Device Configuration — The configuration of the IoT device’s software can be changed, and such changes can be performed by authorized entities only.
- Data Protection — The IoT device can protect the data it stores and transmits from unauthorized access and modification.
- Logical Access to Interfaces — The IoT device can restrict logical access to its local and network interfaces, and the protocols and services used by those interfaces, to authorized entities only.
- Software Update — The IoT device’s software can be updated by authorized entities only using a secure and configurable mechanism.
- Cybersecurity State Awareness — The IoT device can report on its cybersecurity state and make that information accessible to authorized entities only.
For each capability, the ACT lists Common Elements and the Rationale. For example, the Device Configuration capability included the following Common Elements:
- The ability to change the device’s software configuration settings.
- The ability to restrict configuration changes to authorized entities only.
- The ability for authorized entities to restore the device to a secure configuration defined by an authorized entity.
Vendor Assessment. How does the Act impact financial institutions? The risks introduced with IoT should be considered when identifying critical vendors by the financial institution. Once the Act becomes law, IoT device manufacturers will have a baseline to build upon as it relates to cybersecurity. Also, financial institutions will have a baseline to consider and incorporate in their vendor assessment process.
Conclusion. The increased use of IoT presents many opportunities for a financial institution to service customers. The opportunities include allowing for a seamless process to make payments and transfers, allows financial institutions to proactively assess risks while considering new loans, provides numerous benefits in the financial institution’s operations area and many more. However, IoT also presents many risks that should be considered and assessed. An aspect of IoT is that since IoT often appears invisible, there is a tendency to forget about them during the risk assessment process. Financial institutions should consider incorporating detail of NISTIR 8259A and other security guidelines, where possible, in their vendor assessment process.
Chris Joseph is a Partner of Arnett Carbis Toothman LLP, located in the Charleston, West Virginia office. A certified public accountant, Certified Information System auditor, Certified in Risk and Information Systems Control and Certified Information Technology Professional, Mr. Joseph has over 35 years of experience in information technology audit and security services in the financial institutions’ industry.
Mr. Joseph can be contacted at 800-642-3601 or through email: firstname.lastname@example.org.