In December, following passage of the law, NIST released draft guidance on IoT cybersecurity requirements. New devices will likely need a unique identifier and the capacity to receive a software patch to guard against new cybersecurity vulnerabilities.
The standards will formally apply to the government’s purchase of IoT devices for use by the FBI and the Defense and Homeland Security departments, Stefani notes, as well as by government contractors.
The standards, while not required of private companies that don’t contract with the government, could nevertheless be adopted by the private sector, according to Stefani. At minimum, they will likely help inform voluntary standards that the Consumer Technology Association and other industry groups are working on. Stefani believes the Biden administration may propose an IoT cybersecurity bill focused on the private sector.
How the IoT Cybersecurity Improvement Act Will Affect the Energy Industry
Although the legislation focused more on protecting the federal government from threats and does not apply directly to the energy industry and utilities, it may impact smart grids and manufacturers of wireless sensors and devices in the future, says Stefani.
“The NIST standards that are going to be developed under this bill for sales to the federal government are going to shape what industry is going to develop and manufacture for private entities and utilities,” Stefani says.
The NIST standards likely will include best practices on how to create unique passwords when setting up a device, rather than using a single password for every IoT device, she says. In August 2019, NIST released a report titled “Securing the Industrial Internet of Things: Cybersecurity for Distributed Energy Resources.”
It detailed the agency’s efforts to develop data integrity and malware protection, and to mitigate threats to commercial and utility-scale distributed energy resources, or DERs. In the energy grid, solar photovoltaics and wind turbines exchange data between a utility’s distribution control system and DERs. This exchange sometimes lacks proper security measures, according to NIST. The National Cybersecurity Center of Excellence helps energy companies secure these information exchanges.
How Energy Companies Should Respond to the New Law
Going forward, organizations that deploy IoT devices, including utility companies, should consider products with security features baked into their design process, Stefani says. More of these products will become available as manufacturers incorporate the design changes based on the emerging NIST standards into the same family of products sold to the federal government as well as energy and utility companies, Stefani says.
These and other cybersecurity requirements will ensure that bad actors do not tamper with the energy grid or other important devices and sensors, such as alarms and security cameras at energy facilities and utility plants.