Connect with us

Cybersecurity

Internet of Things Connected Devices Are Inherently Insecure, Say Tech Experts

Published

on

Screenshot of Steve Augustino, Partner at Kelley Drye & Warren

January 24, 2021 –Internet of Things  connected devices are inherently unsecure, said Scott Poretsky, director of security at Ericsson, speaking at a Federal Communications Bar Association event on Thursday.

Resolving the security risks is all the more pressing with the coronavirus pandemic having generated great interest in enabling people to work in situations without being physically present.

A major sector of growth in IoT technologies is in health care, with virtual telehealth appointments and devices connecting patients with their doctors.

Unlike the common smartphone, IoT devices are not built with the same general-interest purpose in mind. IoT devices such as a smart toothbrush are only built to do a specific task. Hence that enables a long battery life.

Because IoT devices are built with such specific tasks, they lack powerful processing power. That leaves them vulnerable. And limited processing power means IoT devices don’t have room for security features. Too many open ports and too few layers of security, including mass-produced factory password settings, are wide open to cyber-attacks.

Additionally, low-cost devices infrequently receive firmware updates and software patches to fix security threats leaving consumers helpless.

Users of IoT devices need to know and do more to protect themselves from cyberattacks. Legislation has been passed to boost cybersecurity for IoT devices, said Rafi Martina, senior policy advisor for Sen. Mark Warner, D-Virginia.

Warner introduced the now-passed Internet of Things  Cybersecurity Improvement Act. It requires the National Institute of Standards and Technology (NIST) to issue recommendations addressing secure development, identity management, patching, and configuration management for IoT devices.

Martina said vendors need to stop bad developer practices, close unnecessary open ports, and enhance support for security in devices that range from internet-connected home video cameras to light bulbs, doorbells and other home appliances.

According to the FCBA session description for the event:

A defining characteristic of the Internet of Things (IoT) is that devices are capable of communicating with each other and the world at large.  As these “always connected” devices are more broadly deployed and handle more complex tasks, protecting the security of these devices becomes more difficult.

Moreover, security is not the responsibility of any single entity in the ecosystem alone, requiring a layered approach to cybersecurity.  In this program, speakers will discuss what is being done by the industry and the federal government to improve cybersecurity in IoT.  We will discuss ways to establish transparency, traceability and trustworthiness in IoT ecosystems and the role the federal government plays in IoT security through the IoT Cybersecurity Act of 2020 and NIST’s Cybersecurity for IoT program, among others.

Born in China and adopted to American Fork, Utah, Reporter Derek Shumway graduated from Brigham Young University with a bachelor's degree in political science and a minor in international strategy and diplomacy. At college, he started an LED lightbulb company. word

Cybersecurity

Lawmakers Should Incentivize Cybersecurity in Private Sector: Cisco Executive

One weak link can threaten the entire system.

Published

on

Photo of Jeetu Patel of CISCO

WASHINGTON, May 25, 2023 – A Cisco executive urged Congress at a Semafor event Thursday to provide more incentives for companies to ensure their cybersecurity posture is up to date. 

While Jeetu Patel, general manager of security at the information technology giant, didn’t specify what types of incentives can be used, he said the incentives must push private infrastructure to have high security standards. 

Both private and public sectors have a part to play in improving the nation’s security, he noted, adding private companies must build products that are secure by design. 

There is “tremendous” need for cross-nation coordination around cyberattacks, said Patel. He urged lawmakers to democratize cybersecurity by simplifying the process, adding the nation must be united to gain traction against attackers.

The cybersecurity industry has not made conversations simple to follow or technology easy to use, he said. Simplifying cybersecurity is the only way we can democratize it and when it’s democratized, it can be made universal, said Patel. 

He warned that the country cannot let the financial constraints of a few companies put the whole system at risk. Regardless of how affluent a country is, the weakest link controls the strength of the chain, he said. 

Artificial Intelligence will change cybersecurity fundamentally, he noted. It is important to remember that AI tools are also available to attackers. Currently, the majority of attacks stem from fraudulent emails which AI can make more personalized and difficult to discern from real communication, he said.  

Cybersecurity defenses must evolve

We need to develop an idea of civic responsibility for tech innovators and students in STEM fields, added Suzanne Spaulding, senior advisor of Homeland Security at the Center for Strategic and International Studies. Civic responsibility is the antidote to disinformation and is the change central to democracy, she continued.  

Spaulding warned companies against relying on existing cybersecurity measures. Resilience is about having layers of plans and assuming they all will fail, she said.  

This comes at a time of Congressional focus on cybersecurity. In March, two bills were introduced by Senators Jacky Rosen, D-Nev., and Marsha Blackburn, R-Tenn., to establish pilot programs in the Department of Defense and Homeland Security that would hire civilian cybersecurity personnel in reserve. 

In 2021, President Joe Biden signed an executive order on improving American cybersecurity capabilities following the Colonial Pipeline ransomware attack and SolarWinds breach in 2020.   

Continue Reading

Cybersecurity

Sector Specific Agencies a Resource for Cybersecurity Concerns

Federal agencies are equipped to support sectors dealing with cybersecurity concerns.

Published

on

Photo of Puesh Kumar of Department of Energy

WASHINGTON, May 16, 2023 – Sector specific agencies, federal departments responsible for infrastructure protection activities in a designated critical infrastructure sector, are prepared to address cybersecurity concerns across various industries, said witnesses at a House Energy and Commerce Committee hearing on Tuesday. 

Malicious actors are targeting U.S. infrastructure, said witnesses. In 2021, President Biden signed an executive order on improving American cybersecurity capabilities following the Colonial Pipeline ransomware attack and SolarWinds breach in 2020. 

In March, two bills were introduced by Senators Jacky Rosen, D-Nev., and Marsha Blackburn, R-Tenn., to establish pilot programs in the Department of Defense and Homeland Security that would hire civilian cybersecurity personnel in reserve. 

The Administration for Strategic Preparedness and Response addresses increasingly sophisticated and frequent attacks on hospital and public health centers by providing each hospital with personalized and specific instruction on mitigation and disaster response best practices. 

Cyberattacks on hospitals have a negative effect on the surrounding area similar to that of a natural disaster, claimed Brain Mazanec, deputy director of the Office of Preparedness at ASPR. There have been more than double cyber-attacks on hospitals from 2016 to 2021, he said. 

The Environmental Protection Agency is responsible for addressing water system cyberattacks, said David Travers, director of Water Infrastructure and Cyber Resilience Division at EPA. The EPA’s Evaluating Cybersecurity guidance is intended to assist states with building their own secure systems for water and sewer systems.  

It is essential that sector specific agencies develop strong relationships with sectors under their jurisdiction well before disastrous incidents occur, said Puesh Kumar, director of the office of cybersecurity at the Energy Security and Emergency Response at the Department of Energy. 

The Energy and Commerce Committee also participated in a markup of the Energy Emergency Leadership Act Tuesday which would amend the Department of Energy Organization Act to elevate the leadership of the DOE’s emergency response and cybersecurity functions. 

“Establishing assistant-secretary leadership at the department will reflect the importance of managing this threat,” said Subcommittee on Energy, Climate, and Grid Security Chair Jeff Duncan. 

The Act passed on unanimous vote to report to the full committee without amendment. 

Duncan also emphasized the importance of a strong domestic supply chain, calling for a “‘Made in America’ system for nuclear fuel” in order to “give the domestic industry the market certainty they need to invest and build out the necessary infrastructure.”

On June 27, Broadband Breakfast’s Made in America Summit will examine energy infrastructure and international supply chain issues in depth.

Continue Reading

Cybersecurity

Charter Suggests Network Authentication Layer for Equipment Certification

The telecom said manufacturers are in the best position to ensure security.

Published

on

Illustration from Security Architect

WASHINGTON, April 5, 2023 – Charter Communications is recommending the Federal Communications Commission require device manufacturers seeking equipment authorization to add a layer of authentication security to protect against cyberthreats.

In a letter to the commission on Friday, the telecommunications company suggested the commission require, as a condition of certification, devices pass a security authentication step to connect to the user’s network. When an internet-connected device connects to a network, it can also access sensitive information being shared on it – leaving the door open to malicious activity.

This “baseline” security “would erect a new barrier to prevent malicious actors from exploiting unauthorized or unidentified devices connected to consumer broadband networks without consumers’ knowledge or consent,” Charter said in its letter, following a meeting with FCC officials. “It would also be a simple and efficient way to address major cybersecurity vulnerabilities without the Commission needing to prescribe detailed cybersecurity requirements.”

“The most vulnerable devices often lack strong passwords and other basic security measures, which make them susceptible to malicious actors and frequent sources of harmful traffic across networks,” Charter added. “Devices that can connect to home networks without first being authenticated are also a significant source of cyber threats. And, despite various educational efforts, many consumers still never change the default passwords that come printed on their devices.”

The company noted that this practice is accepted by industry standards bodies and the broader security community and would relieve consumers of an additional burden when they come to connect their devices.

In conjunction with a November order that halted equipment authorizations from companies on a national security blacklist, the FCC is currently contemplating a proposal that would revamp the equipment authorization program to minimize cybersecurity threats and other malicious activity of foreign agents. The proposal asks whether it should ban component parts of a problematic device, and not just the manufactured product, and if it should require certification applicants to have a U.S.-based representative to ensure compliance.

As ubiquitous 5G connectivity takes hold in the country, more and more internet-connected devices are flooding the market.

“The proliferation of cybersecurity incidents in recent years and, particularly, the growing number of cyber threats that exploit unsecured IoT devices, underscores the need for more proactive efforts to deter and combat vulnerabilities before they reach consumers,” Charter noted in the letter, adding device manufacturers are in the “best position” to address these common security vulnerabilities.

Charter added that a combination of device manufacturer action on the authentication front and user action to additional security layers – through stronger passwords, for example – “will better protect Americans and US networks from the growing harm of cyber threats.”

The company said it actively strives to enhance security measures for its devices, including some of its newer routers requiring users to provide a unique credential to manage their home network instead of a default password. It said its routers also have pre-set security settings and undergo regular software updates.

FCC Commissioner Nathan Simington had previously advocated for mandating ongoing, as-needed cybersecurity updates to mitigate risks on wireless devices already in the hands of consumers.

Continue Reading

Signup for Broadband Breakfast News



Broadband Breakfast Research Partner

Trending