Author Topic: New US Govt IoT Device Standards  (Read 755 times)

0 Members and 1 Guest are viewing this topic.

Offline LabSpokane

  • Super Contributor
  • ***
  • Posts: 1880
  • Country: us
New US Govt IoT Device Standards
« on: August 08, 2017, 02:05:49 AM »
http://www.electronicdesign.com/embedded-revolution/new-bill-targets-common-sense-security-internet-things?NL=ED-001&Issue=ED-001_20170807_ED-001_993&sfvc4enews=42&cl=article_1_b&utm_rid=CPG05000003817148&utm_campaign=12347&utm_medium=email&elq2=7913ea34450f45a290d45c1b7a43ece8

Looks like anyone who is selling an internet-connected device to the US Goverment will have additional certifications to address. I don't see anything terribly objectionable, but for small businesses, there are going to be some additional costs for validation and certification that may affect your margin/sale price.

Full text of bill is here: https://www.scribd.com/document/355269230/Internet-of-Things-Cybersecurity-Improvement-Act-of-2017
« Last Edit: August 08, 2017, 02:19:54 AM by LabSpokane »
 

Offline ngjohnson

  • Contributor
  • Posts: 6
  • Country: us
Re: New US Govt IoT Device Standards
« Reply #1 on: August 08, 2017, 04:03:09 AM »
Hello LabSpokane,

I have been working with IOT hardware and software for a few years now, I interned at Particle.io as they where just getting VC funding and growing into version 2 and the electron. From that experience alone I can tell you that you really don't want to make internet connected devices that don't have a high level of security; especially if you are small business. I have just finished a 6 month grant project for IOT road side units founded by the NSF only to realize that security took a majority of our time. We created our own communication protical and added security into the hardware and software at every point.  Someone getting access to our data at any point would compromise the companies IP.

I'm personally really happy that companies will be expected to hold to a high level of standard for security, as many of these devices are already controlling safety critical applications.

Best,
Nicholas
 

Offline DaJMasta

  • Frequent Contributor
  • **
  • Posts: 461
  • Country: us
    • medpants.com
Re: New US Govt IoT Device Standards
« Reply #2 on: August 08, 2017, 04:21:47 AM »
That matters a lot more to companies that also provide the same kind of server infrastructure and service that particle does, a startup with just a wifi enabled microcontroller module and a little software doesn't necessarily have their hands on any of the data being used, so maybe a hack of their products wouldn't have such an impact on their bottom line.

That said, this only applies to government purchasing - so a startup can still sell any shoddily coded security they want, but US government agencies can't buy or use their products.  I wouldn't really mind some blanket mandate for basic security measures on anything that connects to the net, just for preventing IoT devices from being easy botnet targets or widespread information gathering or whatnot by a third party hacker,  but I doubt US lawmakers would push for something like that.... if they are even tech savvy enough to realize that it's a potential serious problem.

Offline LabSpokane

  • Super Contributor
  • ***
  • Posts: 1880
  • Country: us
Re: New US Govt IoT Device Standards
« Reply #3 on: August 08, 2017, 04:57:34 AM »
Hello LabSpokane,

I have been working with IOT hardware and software for a few years now, I interned at Particle.io as they where just getting VC funding and growing into version 2 and the electron. From that experience alone I can tell you that you really don't want to make internet connected devices that don't have a high level of security; especially if you are small business. I have just finished a 6 month grant project for IOT road side units founded by the NSF only to realize that security took a majority of our time. We created our own communication protical and added security into the hardware and software at every point.  Someone getting access to our data at any point would compromise the companies IP.

I'm personally really happy that companies will be expected to hold to a high level of standard for security, as many of these devices are already controlling safety critical applications.

Best,
Nicholas

Hi Nicholas,

I completely agree. And that's one major reason I "outsource" my security and firmware updates with devices such as the Electron.  :-+
 

Offline LabSpokane

  • Super Contributor
  • ***
  • Posts: 1880
  • Country: us
Re: New US Govt IoT Device Standards
« Reply #4 on: August 08, 2017, 05:03:42 AM »
That matters a lot more to companies that also provide the same kind of server infrastructure and service that particle does, a startup with just a wifi enabled microcontroller module and a little software doesn't necessarily have their hands on any of the data being used, so maybe a hack of their products wouldn't have such an impact on their bottom line.

That said, this only applies to government purchasing - so a startup can still sell any shoddily coded security they want, but US government agencies can't buy or use their products.  I wouldn't really mind some blanket mandate for basic security measures on anything that connects to the net, just for preventing IoT devices from being easy botnet targets or widespread information gathering or whatnot by a third party hacker,  but I doubt US lawmakers would push for something like that.... if they are even tech savvy enough to realize that it's a potential serious problem.

This will actually trickle down to virtually all electronics. Nobody will want their devices to be removed from the GSA schedule.

Honestly, given what I know about certain government suppliers' absolutely shoddy security practices, or rather, complete lack thereof, this is pretty welcome legislation in the form of creating a minimum standard. It will definitely make some engineers lives easier in not having to fight management over doing the basics. It will now be law.
 

Offline floobydust

  • Frequent Contributor
  • **
  • Posts: 469
  • Country: ca
Re: New US Govt IoT Device Standards
« Reply #5 on: August 08, 2017, 05:15:52 AM »
I thought this is driven by chinese telecom IC's (routers, wi-fi, ethernet, cell phones) which have backdoors for the chinese government and hackers to exploit.

US is pissed off at Huawei for this, they got on the blacklist and banned from selling to the US, UK, Australian government.
I'm not sure what the NSA found.
 

Offline ChristopherN

  • Supporter
  • ****
  • Posts: 57
  • Country: de
    • app22 UG (haftungsbeschr√§nkt)
Re: New US Govt IoT Device Standards
« Reply #6 on: August 08, 2017, 04:36:30 PM »
I think this is a step in the right direction. I design and manage IoT / Smart Energy systems and consult on that topic.

It's horrible to see whats out there and how many vendors act. Security updates take a long time, if they arrive the updates are often bug infested. Some vendors don't provide updates at all. Many vendors lack basic networking and (embedded / IT) security knowledge, the solutions are insecure by design and there is no possibility to fix that in the field.

This is especially true for IoT / Industrial / Energy Gateways that aggregate data and control stuff like valves in the field. Real harm can be inflicted using those device and they are hard to secure if you have a 100k+ devices installed on remote equipment.

Legislation is slowly pushing in the right direction by raising the minimal acceptable security level on those products and services.
 
The following users thanked this post: LabSpokane

Offline b_force

  • Frequent Contributor
  • **
  • Posts: 443
  • Country: nl
    • One World Concepts
Re: New US Govt IoT Device Standards
« Reply #7 on: August 08, 2017, 09:06:37 PM »
I thought this is driven by chinese telecom IC's (routers, wi-fi, ethernet, cell phones) which have backdoors for the chinese government and hackers to exploit.
Isn't that EXTREMELY ironic?

New US standards of IoT: backdoors for NSA  :--
 

Offline Jeroen3

  • Super Contributor
  • ***
  • Posts: 2305
  • Country: nl
  • Embedded Engineer
    • jeroen3.nl
Re: New US Govt IoT Device Standards
« Reply #8 on: August 08, 2017, 09:19:31 PM »
I bought a Mikrotik router due to lack of firmware updates from, well, all consumer grade router vendors.
If you get 3 updates over 5 years you should call yourself lucky.

There should be a norm or regulation quickly to prevent the companies from selling cheap bad IoT.
 

Offline David Hess

  • Super Contributor
  • ***
  • Posts: 4837
  • Country: us
  • DavidH
Re: New US Govt IoT Device Standards
« Reply #9 on: August 09, 2017, 03:14:05 AM »
I bought a Mikrotik router due to lack of firmware updates from, well, all consumer grade router vendors.
If you get 3 updates over 5 years you should call yourself lucky.

My ancient Celeron 300A workstation operating as a BSD router has outlasted 4 modems and at least 4 routers.

Quote
There should be a norm or regulation quickly to prevent the companies from selling cheap bad IoT.

See if you can describe it.  No matter what they pass it will be poorly thought out, make things worse, and include plenty of rent seeking.
 

Offline Jeroen3

  • Super Contributor
  • ***
  • Posts: 2305
  • Country: nl
  • Embedded Engineer
    • jeroen3.nl
Re: New US Govt IoT Device Standards
« Reply #10 on: August 09, 2017, 03:29:01 PM »
At least Apple is at the right track by mandating encryption for HomeKit.
 

Offline floobydust

  • Frequent Contributor
  • **
  • Posts: 469
  • Country: ca
Re: New US Govt IoT Device Standards
« Reply #11 on: August 09, 2017, 03:41:42 PM »
"Under the terms of the bill, vendors who supply the U.S. government with IoT devices would have to ensure that their devices are patchable, do not include hard-coded passwords that can't be changed, and are free of known security vulnerabilities, among other basic requirements," explained a statement from Senator Warner's office announcing the act."

This doesn't help the IoT standards war at all
 

Offline jbb

  • Regular Contributor
  • *
  • Posts: 148
  • Country: nz
Re: New US Govt IoT Device Standards
« Reply #12 on: August 09, 2017, 05:38:28 PM »
This doesn't help the IoT standards war at all

I guess it's not meant to.  My personal guess is that a lot of IoT providers actually want to be ongoing service providers and charge you rent.  If open, interoperable, protocols are deployed you could then buy the good hardware from company A and the good service from company B.  Or you could buy the cheap and nasty hardware from company C and annoy the hell out of company B with service requests.

New US standards of IoT: backdoors for NSA  :--

Given that a whole heap of IoT has sweet f*** all security (FYI, Linux is only 'more secure than Windows' if people configure it right), I think it will actually make it a little harder for three letter agencies to break in.  However, I haven't read the draft and US laws are infamous for containing weird and wonderful extra stuff beyond what the title might suggest.

Maybe I'm being charitable, but I think the reason for a lot of products out there lacking security isn't malice or stupidity but time pressure.  If you're boss is getting hell from upper management, they will say "just make it work, we need to ship it."  As long as no-one checks for security issues - which the upper management possibly thinks is a waste of time - the 'working' product will go out the door.  Hard-coded admin passwords and all.
 

Online blueskull

  • Supporter
  • ****
  • Posts: 7005
  • Country: cn
  • Power Electronics PhD Candidate
Re: New US Govt IoT Device Standards
« Reply #13 on: August 09, 2017, 05:49:48 PM »
US is pissed off at Huawei for this, they got on the blacklist and banned from selling to the US, UK, Australian government.
I'm not sure what the NSA found.

Huawei was started to bypass western backdoors in the 80s.

The official story from Chinese government is in the 80s, we purchased a bunch of Cisco gear. Someone screwed up the configuration, and couldn't restore them.
Cisco, remotely controlled from the US, fixed the problem, which revealed they have higher privilege to access the devices.
This is the origin of 4 Chinese telecom companies, Julong (telecom algorithms), Datang (telecom algorithms), ZTE (infrastructures and terminals) and Huawei (infrastructures, telecom algorithms, patent broker, terminals and ASICs).

Both started as private companies with government funding, just like SBIR and STTR in the US. The rest 3 are still not generating tons of revenue while Huawei made its way to one of the richest telecom companies in the world due to the higher internal management efficiency and wider market (they sell infrastructure gears at almost BOM cost to compete and hit Cisco and Nokia hard, while making up lost of revenue by selling overpriced terminal devices).
SIGSEGV is inevitable if you try to talk more than you know. If I say gibberish, keep in mind that my license plate is SIGSEGV.
 

Offline cdev

  • Super Contributor
  • ***
  • Posts: 1371
  • Country: us
Re: New US Govt IoT Device Standards
« Reply #14 on: August 11, 2017, 09:16:00 AM »
Multinational companies are required to give any and all WTO member countries equal backdoors by the WTO Telecommunications Agreement!

Source: Edward Snowden mentioned it in a talk and I am pretty sure he is right.

If North Korea was to join the WTO they would get equal rights to the backdoors in their equipment. (If they learned about them.)

So some of all this may be a "really big shoo". 

Made for TV.
« Last Edit: August 11, 2017, 09:53:54 AM by cdev »
 

Offline System Error Message

  • Frequent Contributor
  • **
  • Posts: 469
  • Country: gb
Re: New US Govt IoT Device Standards
« Reply #15 on: August 11, 2017, 10:58:18 AM »
how would the government enforce it? There are already many vulnerable IoT devices out there.

There are many IP cams that are part of a botnet. Many IoT devices compromised already but with few knowing. It gets even worse because this applies to cars too. There just isnt a standard out there yet on designing IoT. Its a free for all and companies are sucking at it as far as standards go but do well at making money from it.
 

Online blueskull

  • Supporter
  • ****
  • Posts: 7005
  • Country: cn
  • Power Electronics PhD Candidate
Re: New US Govt IoT Device Standards
« Reply #16 on: August 11, 2017, 11:01:15 AM »
how would the government enforce it? There are already many vulnerable IoT devices out there.

There are many IP cams that are part of a botnet. Many IoT devices compromised already but with few knowing. It gets even worse because this applies to cars too. There just isnt a standard out there yet on designing IoT. Its a free for all and companies are sucking at it as far as standards go but do well at making money from it.

While they can't request all equipment to be replaced immediately, they can request all new gears to be certified in order to be qualified for government purchasing. Meanwhile, they can slowly phase out non compliant gears.
SIGSEGV is inevitable if you try to talk more than you know. If I say gibberish, keep in mind that my license plate is SIGSEGV.
 

Offline System Error Message

  • Frequent Contributor
  • **
  • Posts: 469
  • Country: gb
Re: New US Govt IoT Device Standards
« Reply #17 on: August 11, 2017, 11:10:06 AM »

While they can't request all equipment to be replaced immediately, they can request all new gears to be certified in order to be qualified for government purchasing. Meanwhile, they can slowly phase out non compliant gears.
So this doesnt apply to IoT devices sold for non government use like the public?
 

Offline LabSpokane

  • Super Contributor
  • ***
  • Posts: 1880
  • Country: us
Re: New US Govt IoT Device Standards
« Reply #18 on: August 11, 2017, 11:10:50 AM »
There is *nothing* in this standard with respect to government-mandated "back doors."  This legislation only applies to a few practices that fall under necessary and proper, although some could be nebulous and initially costly for small-business to implement. 
 

Offline LabSpokane

  • Super Contributor
  • ***
  • Posts: 1880
  • Country: us
Re: New US Govt IoT Device Standards
« Reply #19 on: August 11, 2017, 11:12:38 AM »

While they can't request all equipment to be replaced immediately, they can request all new gears to be certified in order to be qualified for government purchasing. Meanwhile, they can slowly phase out non compliant gears.
So this doesnt apply to IoT devices sold for non government use like the public?
Correct, but expect the requirement to trickle down due the nature of how companies list their items for sale to the US Government.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf

 

http://opalkelly.com/