As more and more devices connect to the Internet, the Internet of Things impacts each of our daily lives. Connection to the Internet automates a number of processes including heating and cooling our homes, monitoring security, tracking our health, and so much more. In the workplace, connected devices monitor equipment health, track packages as they travel around the world, and simplify management of a number of operations. Almost every industry uses IoT solutions to increase efficiency and profitability.
Senate Bill 327
Concerned by the risk of the exploitation of connected devices, Governor Brown recently signed into law Senate Bill 327. This is the first state law to regulate the security features of IoT devices. The law, which will go into full effect on January 1st, 2020, sets minimum security requirements for connected device manufacturers. The California Attorney General will be responsible for enforcing the new law.
The Governor hopes the new law will address the possible risk of hackers locating vulnerabilities in connected devices. If hackers gain access, they could potentially steal sensitive data, cause outages, and disrupt or modify system functions.
Under the new law, device manufacturers would be required to build security into the design, manufacturing, and functionality of each connected device. This includes any device that connects either directly or indirectly to the Internet as well as devices assigned an Internet Protocol address or Bluetooth address.
The new law applies to the manufacturers of connected devices sold or offered for sale in California and all component part suppliers used by these manufacturers. The developers of third-party software and applications added by consumers and businesses regulated by the Health Insurance Portability and Accountability Act (HIPAA) are exempt from the new law.
New Requirements
The text of the IoT law is somewhat confusing. It states that connected devices must include “reasonable security features”. Unfortunately, it does not define what that means. However, the law does state that the “reasonableness” of security features is risk-based and dependent on the intended use of the device and the technology on which it relies.
The new law also contains specific requirements for authentication features. For example, each device assigned an IP address or Bluetooth address must have its own unique password.
At Mint Controls, we care about keeping your organization secure. We develop our IoT devices with security in mind. Please contact us for more information.