From smart homes and self-driving vehicles to drones and healthcare monitoring, Internet of Things (IoT) capabilities are a hot topic for both manufacturers and consumers. The most recent episode of Kelley Drye’s Full Spectrum podcast spotlights one of the key areas for everyone involved – maintaining security of IoT devices. Partners John Heitmann and Steve
At the end of July, the National Institute for Standards and Technology (“NIST”) released draft cybersecurity guidance for IoT device manufacturers. The document, titled Core Cybersecurity Feature Baseline for Securable IoT Devices: A Starting Point for IoT Device Manufacturers, is intended, according to NIST, identify the cybersecurity features that IoT devices should have “to make them at least minimally securable by the individuals and organizations who acquire and use them.” The NIST document is not a rule or requirement for IoT devices, but rather is a continuation of NIST’s effort to foster the development and application of voluntary standards, guidelines, and related tools to improve the cybersecurity of connected devices.
NIST is seeking comment on the document through September 30 of this year and it held a workshop in August for interested parties to discuss the document. In a prior post, I blogged on takeaways from that workshop. Now, it’s time to take a closer look at the NIST document itself.
Connected devices already are making headway into business and consumer markets. “Smart” speakers, video doorbells, remote programmable thermostats and other devices are increasing in popularity in homes across the United States. Major automakers and startups are pursuing self-driving cars and the “passenger economy.” Businesses are using IoT capabilities to enhance preventive maintenance, to track assets through the production cycle and to gain insights into consumer behavior.
Now, the federal government is trying to provide resources for businesses engaged in the Internet of Things (“IoT”) economy. Building on guidelines it established for cybersecurity generally and IoT cybersecurity specifically, the National Institute for Standards and Technology (“NIST”), a division of the U.S. Department of Commerce, held a workshop for manufacturers on securing IoT devices. I attended the workshop and these are my principal takeaways from the meeting.
Last week, the FCC’s Public Safety and Homeland Security Bureau released a Public Notice (“Notice”) urging communications service providers to review and assess how they can incorporate the recommendations from Communications Security, Reliability, and Interoperability Council (“CSRIC”) V, Working Group 10 March 2017 Report to abate security signaling system 7 (“SS7”) protocol vulnerabilities(the “SS7 Report”). SS7 is a communications protocol used within telephone networks to aid call setup, routing, billing and other functions between fixed and mobile service providers.
Kelley Drye is excited to support the next Presidio Forum on “Securing (and Regulating) the Internet of Things: Policy, Innovation & Investment,” in San Francisco on June 20, 2017. The forum will present a candid discussion exploring today’s expanding IoT threat landscape, continued rise of regulatory interests and the increasing venture capital investment for IoT…
In the days leading up to Tuesday’s State of the Union address, President Obama has been previewing his Administration’s communications and technology priorities for 2015, including calling for an end to state laws that restrict municipal broadband deployments and new steps to promote cybersecurity.…
On October 28, 2014, the Federal Communications Commission (“FCC” or the “Commission”) announced that it had joined the Global Privacy Enforcement Network (“GPEN”), a network of privacy enforcement and regulatory bodies from around the world that engages in collaboration and coordination on cross-border privacy enforcement actions.
On October 24, the FCC, over the dissent of its two Republican commissioners, issued a Notice of Apparent Liability (NAL) proposing a fine of $10 million to Lifeline eligible telecommunications carriers (“ETCs”) TerraCom, Inc. and YourTel America, Inc. for violations of laws protecting “phone customers’ personal information.”
This is the agency’s first data security case and the largest privacy action in the Commission’s history. See News Release. Friday’s decision follows through on numerous public statements made by FCC Enforcement Bureau Chief Travis LeBlanc indicating that privacy and security is a high enforcement priority for the Commission and that the agency would begin to use a Communications Act provision barring unjust and unreasonable practices as a privacy and security enforcement tool.
According to the NAL, the Enforcement Bureau investigation found that both TerraCom and YourTel “collected names, addresses, Social Security numbers, driver’s licenses and other proprietary information” gathered through the Lifeline eligibility approval process “and stored them on unprotected Internet servers that anyone in the world could access with a search engine and basic manipulation.” The NAL states that the TerraCom and YourTel violations exposed more than 300,000 customers’ personal information to unauthorized access as well as heightened risk of fraud and identity theft. …
The National Institute of Standards and Technology (NIST) released a Request for Information (RFI), “Experience with the Framework For Improving Critical Infrastructure Cybersecurity”, this week requesting industry feedback on the Cybersecurity Framework published in February 2014. Framework 1.0 was developed by NIST in response to the Obama Administration’s February 2013 Cybersecurity Executive Order aimed at improving cyber defenses for critical industries impacting U.S. national security. The Framework is a series of standards, methodologies, procedures, and processes developed to help organizations address cyber risks.
Since releasing the Framework, NIST has focused its efforts on raising awareness and educating public and private organizations on the importance of managing cyber risks. Now that the Framework has been publicly available for over 6 months, NIST is reaching out to the critical infrastructure community to find out whether organizations are choosing to voluntarily implement the Framework and track progress across the various industries.
Critical infrastructure industries, including communications, transportation, energy, and healthcare companies, are encouraged to weigh in on initial experiences in implementing the Framework, how it is being used, and the successes and challenges of using the Framework to develop cyber programs. While the RFI focuses heavily on responses from critical infrastructure owners and operators, Federal agencies, state, local and tribal governments, and other industry and consumer stakeholders are also invited to comment on any topic that may impact the awareness or voluntary use of the Framework.
Late last week, the FCC released a Public Notice requesting comment on existing best practices for Internet Service Providers (ISPs) to combat cybersecurity threats. The inquiry is a follow up to the FCC’s New Cybersecurity Initiative focused on developing a voluntary, private-sector driven approach to cyber risk management. Comments from this inquiry will support and inform the work of Communications, Security, Reliability and Interoperability Council IV (CSRIC IV) to create cybersecurity best practices that align with the National Institute of Standards and Technology (NIST) framework across the broader communications sector.
The inquiry is focused on what steps the industry has taken voluntarily to combat certain cyber threats. However, the FCC acknowledged that the vulnerabilities addressed by these recommendations remain active threats and sought comment on how to address these concerns and create cyber assurances across the industry. As Chairman Wheeler noted in his June 12 speech, the FCC is open to considering other options if a voluntary, market-driven approach fails to yield measurable, accountable results.…