Operational technology (OT) security company Claroty said Wednesday that IoT devices security is becoming essential in OT environments, following the recent passage of the IoT Cybersecurity Improvement Act in the US.
Following the Act, any Internet of Things (IoT) device purchased with federal government funds must meet new, minimum security standards, and the deadlines, in some cases, are just a few months away, Claroty pointed out in its blog post. As the legislation is mainly aimed at government agencies, and the vendors and service providers that work with critical infrastructure companies, it would be wise for them to take cues from the new law to enhance and formalize their IoT security best practices.
Critical infrastructure sectors typically include communications, defense, emergency services, energy, finance, food, government, healthcare, space, manufacturing, transportation, and water.
Recognizing a lack of uniformity in identifying vulnerabilities and supply chain risks introduced by IoT devices, the Act seeks to replace the existing ad-hoc approach with specific standards and guidelines, Claroty said. Specifically, the new law calls for the development of IoT device security guidance by the National Institute of Standards and Technology (NIST) to be communicated and enforced by the Office of Management and Budget (OMB).
The IoT Act directly implicates Executive Branch agencies and their service/device providers, requiring new guidance from NIST and new regulations to be promulgated by OMB that could change the way these entities identify, account for, and address security risk in the IoT devices they purchase and use, according to an alert issued by law firm Willkie Farr & Gallagher.
However, the impact of these new standards will be felt far beyond the federal agencies, the firm added. Given the scale and breadth of products the federal government may seek to purchase that are likely to fall within the ambit of the new regulations, the IoT Act will likely influence manufacturers and services providers to incorporate the new minimum standards into products available on the general market.
With the deployment of IoT devices, physical objects with embedded sensors, software, and other technologies capable of connecting to other devices and systems over the internet are now increasingly becoming ubiquitous. Along with clear benefits, these devices also introduce potential vulnerabilities into networks, operational technology, and operating systems. If exploited, these are capable of causing significant damage.
A Nov 2019 Gartner guide included a survey showing that “a staggering 93% of respondents stated that the adoption of the Internet of Things (IoT) is likely to augment or replace at least some of their heritage OT monitoring and control systems in their organizations during the next 12 months.” Critical infrastructure companies need solutions that can identify and track threats from IoT devices that cross IT and OT boundaries, it added.
Claroty and CrowdStrike announced last November that they were incorporating Claroty Platform’s OT asset discovery and threat detection capabilities with CrowdStrike’s Falcon platform for identifying targeted and compromised endpoints. Claroty’s OT security platform promises complete IT/OT visibility and threat detection coverage for industrial control system (ICS) networks and endpoints.
This integration will provide IT/OT visibility and a single source of information for assets across connected sites, by enabling Claroty to identify and enhance IT-oriented ICS assets, such as human machine interfaces, historian databases and engineering workstations, in which a CrowdStrike agent is installed.