What the Energy Industry Needs to Know About the IoT Cybersecurity Improvement Act
Emerging standards for Internet of Things devices will likely affect what private sector energy and utility facilities can — and should — deploy.
Energy and utility companies are heavily involved in the use of Internet of Things technologies because of the nature of the industry. Smart sensors and meters track the use of electricity and water, transmitting data between commercial buildings and homes.
Connected sensors and meters are vulnerable to cybersecurity threats, such as denial of service attacks, zero-day exploits and malware, according to the U.S. Government Accountability Office. In response, Congress enacted the IoT Cybersecurity Improvement Act of 2020 to create standards for IoT, particularly in the federal government.
The law, passed in December, calls on the National Institute of Standards and Technology to develop and publish standards on the use of IoT devices and develop minimum security requirements for managing the cybersecurity risks these devices present. NIST is required to review and update standards as necessary every five years.
“The law aims to strengthen cybersecurity within the federal government by directing the government’s standards development body, the National Institute of Standards and Technology, to put out standards and guidance on how the government may use IoT devices,” says Laura Stefani, technology and telecommunications lawyer at Mintz. “This guidance would need to include certain security requirements for managing the cybersecurity risk of IoT devices.”
To What Does the IoT Cybersecurity Improvement Act Apply?
The IoT Cybersecurity Improvement Act pertains to stand-alone IoT devices that contain sensors and connect to the internet, Stefani says.
In December, following passage of the law, NIST released draft guidance on IoT cybersecurity requirements. New devices will likely need a unique identifier and the capacity to receive a software patch to guard against new cybersecurity vulnerabilities.
The standards will formally apply to the government’s purchase of IoT devices for use by the FBI and the Defense and Homeland Security departments, Stefani notes, as well as by government contractors.
The standards, while not required of private companies that don’t contract with the government, could nevertheless be adopted by the private sector, according to Stefani. At minimum, they will likely help inform voluntary standards that the Consumer Technology Association and other industry groups are working on. Stefani believes the Biden administration may propose an IoT cybersecurity bill focused on the private sector.
How the IoT Cybersecurity Improvement Act Will Affect the Energy Industry
Although the legislation focused more on protecting the federal government from threats and does not apply directly to the energy industry and utilities, it may impact smart grids and manufacturers of wireless sensors and devices in the future, says Stefani.
“The NIST standards that are going to be developed under this bill for sales to the federal government are going to shape what industry is going to develop and manufacture for private entities and utilities,” Stefani says.
The NIST standards likely will include best practices on how to create unique passwords when setting up a device, rather than using a single password for every IoT device, she says. In August 2019, NIST released a report titled “Securing the Industrial Internet of Things: Cybersecurity for Distributed Energy Resources.”
It detailed the agency’s efforts to develop data integrity and malware protection, and to mitigate threats to commercial and utility-scale distributed energy resources, or DERs. In the energy grid, solar photovoltaics and wind turbines exchange data between a utility’s distribution control system and DERs. This exchange sometimes lacks proper security measures, according to NIST. The National Cybersecurity Center of Excellence helps energy companies secure these information exchanges.
How Energy Companies Should Respond to the New Law
Going forward, organizations that deploy IoT devices, including utility companies, should consider products with security features baked into their design process, Stefani says. More of these products will become available as manufacturers incorporate the design changes based on the emerging NIST standards into the same family of products sold to the federal government as well as energy and utility companies, Stefani says.
These and other cybersecurity requirements will ensure that bad actors do not tamper with the energy grid or other important devices and sensors, such as alarms and security cameras at energy facilities and utility plants.