Blog

A landmark day for device security - US Senate passes Cybersecurity Improvement Act on to the President for signature

1st Dec 2020

Our mission to secure the world’s connected devices got a timely boost when the US Senate passed the Internet of Things (“IoT”) Cybersecurity Improvement Act (H.R. 1668) into law. This is the brainchild of Congresswoman Robin Kelly from Illinois. The legislation provides for the establishment of a minimum set of cybersecurity standards for government purchased, internet connected devices.

The National Institute of Standards and Technology (NIST) has been directed through the legislation to provide standards and guidelines for the federal government agencies to comply with in order to better manage the security of their IOT devices. These standards and guidelines are designed to provide a high level of continuity and more progress on the work already done by these agencies to address considerations around vulnerability detection, identity management, patching and the configuration of their IOT devices.

Don’t comply, Fed won’t buy

There is also a procurement dimension to the legislation and the law will require federal purchasers to apply restrictions on the purchase of devices from vendors who do not meet the NIST standards and guidelines. There are waivers in certain instances such as national security or research purposes, but the general rule will apply greater discipline to the treatment of security in product design and sale. This is obviously going to have a very big impact on manufacturers in the private sector who will need to meet these requirements to sell into federal government departments. There is likely to be an overspill effect into broader industrial and consumer electronics markets as the government starts to stand up and take IoT device security at all levels very seriously.

Get out of the kitchen if you can’t take the heat

It’s timely that in a recent blog post our CEO Thomas Ryd noted that with these new IOT cybersecurity regulations being introduced, vendors who have not placed security at the center of their product development strategies will have to take a serious look at what they are doing, if they want to stay relevant and competitive in the market.

The Triangle of Trust is the strategic framework that guides product strategy and development at Northern.tech and Mender. We educate our customers to put this principle at the centre of their connected device management strategy.

Only authorised people can deploy authorised software to authorised devices.

Which leads to

Only the right people deploying the right software to the right devices.

Security in action in our IOT

We have developed the security features and strategic partnerships to translate this principle into operational reality for our customers. This puts us at the forefront of the market. For example, we work with NXP to support hardware encryption on their iMx gateway processors. This means that a device is highly secure from tampering with and malicious take over attempts. We also support Mutual TLS handshakes and PKP certificates and align to enterprise security standards and policies. We also consider less complex gateway devices and support elliptic curve cryptography for resource-efficient security and protection.

We thank Congresswoman Kelly for progressing and enacting this important legislation with fellow legislators in the US Senate. We believe that we are a provider that has prepared for this day, and have anticipated the requirements knowing that it was in the best interests of the customers we serve to make sure their devices avoid malicious attacks.

You can read the full details on this landmark legislation from here.