The IoT Cybersecurity Improvement Act of 2020

 A reporter asked me last week if the IoT Cybersecurity Improvement Act of 2020, which was signed by President Trump on December 4, would impact the electric power industry – and if so, what I thought of it. I’m quite glad that he reached out to me on this. I hadn’t paid much attention to the bill as it wended its way through both houses of Congress and various committees. To be honest, there have been so many cybersecurity bills that have gone nowhere that I’ve been reluctant to devote much time to following any of them.

However, when I read the text, I was very impressed with the Act. Moreover, I think it could end up solving some big problems for the power industry. Here’s my take on it:

Strictly speaking, it doesn’t apply to the power industry, or any industry except the federal government itself. That is, it applies to IoT devices purchased by the Feds. However, there’s no doubt that the bill is aimed at all IoT devices, no matter by whom they’re purchased. And that isn’t overreach: IoT device manufacturers aren’t going to build two versions of every device, one compliant with the federal guidelines, and one not. They’ll build one version, compliant with the guidelines.

Specifically what devices are covered? Here are the criteria (2/1/21: Note that these are much shorter than the ones that were in the draft version I had when I originally wrote this post). The Act (now Law) covers devices that 

                (A) have at least one transducer (sensor or 
                actuator) for interacting directly with the physical 
                world, have at least one network interface, and are not 
                conventional Information Technology devices, such as 
                smartphones and laptops, for which the identification 
                and implementation of cybersecurity features is already 
                well understood; and
                (B) can function on their own and are not only able 
                to function when acting as a component of another 
                device, such as a processor.

The Act is of course really aimed at the suppliers of IoT devices, not the federal agencies themselves. But for those suppliers to be directly regulated, it would likely require separate legislation. So the Act follows much the same course as CIP-013: Even though CIP-013 is mostly aimed at suppliers, FERC has no jurisdiction over them, so the NERC entities are required to do their best to get the suppliers to mitigate what each entity decides are the most important supply chain cybersecurity Risks that apply to each supplier.

The Act requires NIST to develop "standards and guidelines" for IoT devices within 90 days, and it gives DHS the responsibility of enforcing them. The guidelines have to address four areas of cybersecurity: secure development, identity management, patching, and configuration management. I think these are a good selection of areas of cyber risk that, if not properly addressed, could mean a lower level of security for IoT devices.

There are certainly other areas that could be addressed as well, like incident response and continuous monitoring. And it would be great if supply chain security were included, since one of the biggest problems with IoT device suppliers (and IT/OT suppliers in general) is not having good control of, or even visibility into, their own supply chains. This especially includes the suppliers of the software components that they include in their devices. But I know there was pushback from the US Chamber of Commerce on this bill, so I’m sure that compromises had to be made.

The Act does require that NIST work with DHS to “publish guidelines on vulnerability disclosure and remediation”. This is quite good, since decisions on what vulnerabilities to disclose and when are currently left up to individual manufacturers and software suppliers. It would be good to have uniform guidelines, and especially guidelines for disclosing vulnerabilities in software components.

Now I’d like to explain why I think the Act will be a big net improvement for a) the electric power industry, and b) suppliers of IoT devices to the industry (e.g. relays, RTUs, and specific devices found in fossil power plants and solar/wind farms).

The biggest advantage for both the industry and its suppliers is that, once these guidelines are published, they will almost without doubt become the standard for suppliers. NERC entities (especially those who have to comply with CIP-013-1) will base their supplier questionnaires on these guidelines. They may also include a standard term in contracts for OT devices that requires the supplier to follow the NIST guidelines. How could any supplier object to that, especially given that they have to follow them anyway for their federal work? Plus they don’t have to worry about being at a disadvantage to their competitors by following the guidelines, since their competitors will need to follow them, too.

A big advantage for the suppliers is the new NIST standard will relieve them of a lot of the pressure they’re under now to get certified for standards like ISO 27001/2. 27001 is a good standard, but it goes far beyond what’s required for OT suppliers. It focuses very heavily on risks to data in the possession of the supplier, yet most OT suppliers store little if any of their customers’ data.

The problem all along is that there haven’t been good standards for OT (IEC 62443 is an OT standard, but compliance with it is quite burdensome. I know of few NERC entities that are actually requiring their suppliers to comply with it). NERC at one point said they were going to develop  guidelines for suppliers by I think this past summer. I haven’t heard more about that (which I believe was really being carried out by a group of utilities), but of course it may have been put off due to Covid. In any case, it would probably be good at this point to wait to see what NIST develops before moving ahead with a separate standard for the power industry.

I’ll put out new posts on this Act when more information becomes available. It’s quite an interesting development, and nothing that I expected to happen.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.