A reporter asked me last week if the IoT Cybersecurity Improvement Act of 2020, which was signed by President Trump on December 4, would impact the electric power industry – and if so, what I thought of it. I’m quite glad that he reached out to me on this. I hadn’t paid much attention to the bill as it wended its way through both houses of Congress and various committees. To be honest, there have been so many cybersecurity bills that have gone nowhere that I’ve been reluctant to devote much time to following any of them.
However,
when I read the text, I
was very impressed with the Act. Moreover, I think it could end up solving some
big problems for the power industry. Here’s my take on it:
Strictly
speaking, it doesn’t apply to the power industry, or any industry except the federal
government itself. That is, it applies to IoT devices purchased by the Feds. However,
there’s no doubt that the bill is aimed at all IoT devices, no matter by whom
they’re purchased. And that isn’t overreach: IoT device manufacturers aren’t
going to build two versions of every device, one compliant with the federal
guidelines, and one not. They’ll build one version, compliant with the
guidelines.
Specifically
what devices are covered? Here are the criteria (2/1/21: Note that these are much shorter than the ones that were in the draft version I had when I originally wrote this post). The Act (now Law) covers devices that
(A) have at least one transducer (sensor or actuator) for interacting directly with the physical world, have at least one network interface, and are not conventional Information Technology devices, such as smartphones and laptops, for which the identification and implementation of cybersecurity features is already well understood; and (B) can function on their own and are not only able to function when acting as a component of another device, such as a processor.
The Act
is of course really aimed at the suppliers of IoT devices, not the federal agencies
themselves. But for those suppliers to be directly regulated, it would likely require
separate legislation. So the Act follows much the same course as CIP-013: Even
though CIP-013 is mostly aimed at suppliers, FERC has no jurisdiction over
them, so the NERC entities are required to do their best to get the suppliers
to mitigate what each entity decides are the most important supply chain cybersecurity
Risks that apply to each supplier.
The Act
requires NIST to develop "standards and guidelines" for IoT devices
within 90 days, and it gives DHS the responsibility of enforcing them. The guidelines
have to address four areas of cybersecurity: secure development, identity
management, patching, and configuration management. I think these are a good
selection of areas of cyber risk that, if not properly addressed, could mean a
lower level of security for IoT devices.
There are certainly other areas that could be addressed as
well, like incident response and continuous monitoring. And it would be great
if supply chain security were included, since one of the biggest problems with IoT
device suppliers (and IT/OT suppliers in general) is not having good control of,
or even visibility into, their own supply chains. This especially includes the
suppliers of the software components that they include in their devices. But I
know there was pushback from the US Chamber of Commerce on this bill, so I’m
sure that compromises had to be made.
The Act does require that NIST work with DHS to “publish
guidelines on vulnerability disclosure and remediation”. This is quite good,
since decisions on what vulnerabilities to disclose and when are currently left
up to individual manufacturers and software suppliers. It would be good to have
uniform guidelines, and especially guidelines for disclosing vulnerabilities in
software components.
Now I’d like to explain why I think the Act will be a big net
improvement for a) the electric power industry, and b) suppliers of IoT devices
to the industry (e.g. relays, RTUs, and specific devices found in fossil power
plants and solar/wind farms).
The biggest advantage for both the industry and its suppliers
is that, once these guidelines are published, they will almost without doubt
become the standard for suppliers. NERC entities (especially those who have to
comply with CIP-013-1) will base their supplier questionnaires on these
guidelines. They may also include a standard term in contracts for OT devices that
requires the supplier to follow the NIST guidelines. How could any supplier
object to that, especially given that they have to follow them anyway for their
federal work? Plus they don’t have to worry about being at a disadvantage to
their competitors by following the guidelines, since their competitors will
need to follow them, too.
A big advantage for the suppliers is the new NIST standard
will relieve them of a lot of the pressure they’re under now to get certified
for standards like ISO 27001/2. 27001 is a good standard, but it goes far beyond
what’s required for OT suppliers. It focuses very heavily on risks to data in
the possession of the supplier, yet most OT suppliers store little if any of
their customers’ data.
The problem all along is that there haven’t been good
standards for OT (IEC 62443 is an OT standard, but compliance with it is quite
burdensome. I know of few NERC entities that are actually requiring their suppliers
to comply with it). NERC at one point said they were going to develop guidelines for suppliers by I think this past
summer. I haven’t heard more about that (which I believe was really being
carried out by a group of utilities), but of course it may have been put off
due to Covid. In any case, it would probably be good at this point to wait to
see what NIST develops before moving ahead with a separate standard for the
power industry.
I’ll put out new posts on this Act when more information
becomes available. It’s quite an interesting development, and nothing that I
expected to happen.
Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.
No comments:
Post a Comment