S 734 Introduced – IOT Cybersecurity

Earlier this month Sen. Warner (D,VA) introduced S 734, the Internet of Things (IoT) Cybersecurity Improvement Act of 2019. Warner introduced a similarly titled bill last session (S 1691), but this bill is a complete re-write of the earlier effort.

Definitions

While last session’s bill had a long series of complicated definitions, this new bill only defines three terms: ‘agency’, ‘covered device’ and ‘security vulnerability’. The ‘agency’ definition is a proforma, yet necessary definition that is of little real importance. The definition of ‘covered device’ is new to this bill and replaces the term ‘internet-connected device’ from the earlier bill. The new term is defined as a physical object that {§2(2)(A)}:

• Is capable of connecting to and is in regular connection with the Internet;

• Has computer processing capabilities that can collect, send, or receive data; and

• Is not a general-purpose computing device, including personal computing systems, smart mobile communications devices, programmable logic controls, and mainframe computing systems.

Sharp-eyed readers will note that this definition was taken from an amendment to HR 5515 last session that was proposed by Sen. Gardner (R,CO); one of the cosponsors to this bill.

Interestingly the definition of a covered device goes on to provide a requirement that the Office of Management and Budget (OMB) establish a process by which interested parties can petition to have a “a device that is not described in subparagraph (A) to be considered a device that is not a covered device” {§2(2)(B)(i)}.

The term ‘security vulnerability is defined as “any attribute of hardware, firmware, software, or combination of 2 or more of these factors that could enable the compromise of the confidentiality, integrity, or availability of an information system or its information or physical devices to which it is connected” {§(2)(3)}.

NIST Requirements

Section 3 of the bill requires the National Institute of Standards and Technology (NIST) to complete current efforts “regarding considerations for managing Internet of Things cybersecurity risks” {§3(a)(1)} to be completed by September 30^th, 2019. Those considerations are to include, at a minimum {§3(a)(2)}:

• Secure Development;

• Identity management;

• Patching; and

• Configuration management.

By March 1^st, 2020, NIST would be required to “develop recommendations for the Federal Government on the appropriate use and management by the Federal Government of Internet of Things devices owned or controlled by the Federal Government, including minimum information security requirements” {§3(b)(1)}.

Finally, NIST would be required within 180 days of the passage of this bill to publish a draft report on “the increasing convergence of traditional Information Technology devices, networks, and systems with Internet of Things devices, networks and systems and Operational Technology devices, networks and systems, including considerations for managing cybersecurity risks associated with such trends” {§(3)(c)}

OMB Requirements

Section 4 of the bill outlines the requirements for OMB to address IoT cybersecurity in the Federal Acquisition Regulations (FAR). Within 180 days of NIST’s publication of recommendations on the use of IoT devices, the OMB would be required to “issue guidelines for each agency that are consistent with such recommendations” {§4(a)}. Those guidelines would have to be consistent with the information security requirements of 44 USC Chapter 35, Subchapter II.

OMB and NIST would also be required to undertake reviews of the recommendations and guidelines described in this bill every five years.

Coordinated Disclosure Policy

Section 5 of the bill would establish NIST as the organization responsible for establishing policies and procedures for “for the reporting, coordinating, publishing, and receiving of information about” {§5(a)} security vulnerabilities of covered devices and their resolution. Those policies and procedures would be aligned as much as practicable with ISO 29147 and ISO 30111.

Section 6 of the bill would require OMB to issue guidelines to federal agencies on how to comply with the processes established by NIST.

Moving Forward

While Warner is not on the Senate Homeland Security and Governmental Affairs Committee, the committee to which this bill was assigned for consideration, one of his three cosponsors, Sen. Hassan (D,NH) is. This means that it is reasonable to assume that the bill may received consideration in that Committee. The main holdup is that the Chair, Sen. Johnson (R,WI), has deep-seated concerns about adding anything smacking of regulations concerning cybersecurity. While this bill does not specifically call for cybersecurity regulations, the ‘policies, procedures and guidelines’ that vendors selling covered devices to the government would be required to follow have the same general impact as regulations.

I would not be surprised if this bill did not make it out of Committee. One way that Johnson could ensure this is that after a markup hearing was held, the Committee report on the bill could be delayed indefinitely.

Commentary

This new version of the IoT cybersecurity bill is much better written than the version introduced in the last session. The limitations on the definition of ‘covered device’ generally make a reasonable distinction between ‘internet connected devices’ and IoT. I do, however, still have some nits to pick on the details of how that limitation/distinction is made.

The sub-paragraph in question removes ‘general-purpose computing devices’ from consideration as ‘covered devices’. It then lists the following examples of those g-p devices:

• Personal computing systems;

• Smart mobile communications devices;

• Programmable logic controls; and

• Mainframe computing systems

Since none of these exclusionary terms are defined in the bill, I would suspect that the staffers who crafted this bill wanted to provide NIST and OMB with significant latitude in what would be included in the exclusion from the definition of IoT. Generally speaking, that is a good thing. Having said that, I do have problems with the term ‘programmable logic controls’. First off, I need to get a tad bit anal retentive here; the term should be ‘programmable logic controllers’.

In a broader context, even that corrected term may be an unnecessarily restrictive substitute for the term ‘industrial control system’. While PLCs are certainly very common components of industrial control system, there are a large number of other components of those systems that are not generally considered IoT (or IIoT, industrial internet of things), but could not be reasonably included in the term PLC.

While I am a strong believer in cybersecurity in industrial control system, I do not think that this bill and its loose regulatory framework are the appropriate place to establish standards for ICS cybersecurity and particularly the internet connected devices associated with industrial control systems. With that in mind, I would propose that the term ‘industrial control system’ should be substituted for the term ‘programmable logic controls’ in the definition of ‘covered device’.