On September 28, 2018, California governor Jerry Brown signed into law the Information Privacy: Connected Devices Act, CA SB 327/AB 1906. The law requires that any connected device sold in California after January 1, 2020 must implement “reasonable” security measures. Despite the understated fanfare, this law will set in motion a series of events that will be monumental for IoT.
As we have mentioned before, IoT has the potential to add USD 10 trillion in value to the world economy by 2025. On the flip side, if the poor adoption of reasonable security measures continues, botnets and data breaches could wipe away much of that value and then some.
In our last post I talked about the need for cybersecurity regulations. I also discussed our involvement with California’s efforts to mandate cybersecurity in distributed energy resource (DER) devices with Rule 21. However, CA Rule 21 only addresses hundreds of thousands of new DER installations each year in California. Even if the regulation expands to the rest of the world we’re talking double-digit millions of devices max. Compare that to the billions of total IoT devices sold each year and you get an idea of how limited Rule 21 is. Rule 21 also is incomplete in its coverage of device security. A device can be exempt from Rule 21 cybersecurity requirements if it communicates with an intermediary cloud service between the device and the utility. SB 327 addresses all these limitation in Rule 21.
California SB 327 changes the trajectory of device cybersecurity regulations. California is the fifth largest economy in the world, so all manufacturers will feel the need to comply. SB 327 is also the first broad-based device security law- it applies to all wide area network devices that use IP or Bluetooth addressing. It covers consumer electronics, industrial devices, and enterprise solutions just to name a few. The law exempts devices that are already covered by a federal mandate, such as HIPAA, but that’s only to resolve potential conflicts and leave room for Capitol Hill to enact something nationwide. Last and most importantly, it puts a hard and imminent deadline on compliance, January 1, 2020, which is just one or two product design cycles away.
There’s obviously room for improvement. Unlike Rule 21 it’s unclear what the risks are for non compliance. SB 327 is also quite nebulous: 1798.91.04. (a) A manufacturer of a connected device shall equip the device with a reasonable security feature or features. The law does mention a few acceptable techniques for user authentication (e.g.- unique default passwords or forcing users to change the default password on first use), but it does not mention techniques for device authentication, which is another requirement of the law- 1798.91.04. (a) “Authentication” means a method of verifying the authority of a user, process, or device to access resources in an information system. To put it simply, the law broadly states the requirement for security in connected devices, but leaves a lot of room for interpretation.
If you are from the healthcare industry, this might sound familiar. HIPAA is also a nebulous law that leaves a lot of room for interpretation. The industry solved this by creating HITRUST, an industry alliance that creates certification programs that comply with healthcare regulations round the globe. As a technology provider, if you pass HITRUST you are compliant with worldwide healthcare regulations. IoT needs similar certification programs, and it’s starting to happen. The Industrial IoT Consortium released security recommendations and the hope is these recommendations find their way into purchasing requirements. SunSpec is working with industry and the national labs on a UL device security certification program to close the Rule 21 loophole. The original plan was to make this UL program optional, but SB 327 is triggering a re-evaluation of this program’s purpose. It’s possible it will be the first program manufacturers can turn to for SB 327 compliance.
Love it or hate it, California has often been a legal trendsetter for the rest of the nation. IoT cybersecurity is now its latest pioneering effort, and expect this precedence to spread quickly.