In the United States, President Biden’s administration reports that in October it will bring together companies, associations and government partners to discuss the development of a label for Internet of Things (IoT) devices. The aim; that Americans can recognise which devices meet cybersecurity standards to protect against hacking and other cyber vulnerabilities.
Biden’s Bipartisan Infrastructure Law (BIL) includes a State and Local Cybersecurity Grant Programme, to provide $1 billion to state, local, and territorial (SLT) authorities over four years, with $185m available for the fiscal year 2022, for example to address cyber risk to information systems and critical infrastructure.
By developing and rolling out a common label for products that meet by US Government standards and are tested by vetted and approved entities, the White House says that it will help American consumers identify secure tech to bring into their homes; starting with some of the most common, and often most at-risk, technologies — routers and home cameras.
As for quantum computing, in the summer the US federal National Institute of Standards and Technology (NIST) announced four new encryption algorithms that will become part of NIST’s post-quantum cryptographic standard, expected to be finalised in about two years.
Simon Chassar, CRO at the cyber product company Claroty, described new cyber security regulations for communications, water and healthcare as crucial as cyberattacks on US critical infrastructure increase. “Alarmingly, in 2021, we saw over 80 per cent of critical infrastructure organisations experience a ransomware attack.
“Water and healthcare, particularly, are two industries where a cyberattack can have a direct risk on human life. For example, we saw threat actors breach a water treatment facility in Florida where they attempted to change the chemical levels, which could have potentially poisoned local residents if it has been successful. Another tragic example is the death of a baby at Alabama Hospital which may have been the result of a ransomware attack that caused equipment to shut down.
“Whilst the White House is yet to confirm where and how exactly it will regulate cybersecurity, it is essential that one area they look at, is cyber-physical systems. We are seeing industries such as water and healthcare, converge their OT and IT systems, as well as connect Internet of Things (IoT) devices and Internet of Medical Things (IoMT) devices to company networks without asset based policy segmentation. These cyber-physical devices are not always designed with security in mind, meaning they can have a number of vulnerabilities for threat actors to exploit.
“I’d advise that any new cyber regulations ensure that organisations are closing their inherent security gaps and have complete asset visibility across all cyber-physical systems connected to their network. It should be mandated that companies have patching procedures for OT systems, IoT devices, and IoMT devices. Furthermore, regulations must enforce network segmentation with asset class network policies to restrict unnecessary connectivity – this will limit the movement of malware, ultimately, mitigating the impact of cyberattacks.”