2020 Cybersecurity Readiness requires organizations across the United States and beyond to understand the requirements of California’s SB 327, among other priorities for securing IoT devices.
California’s SB 327 introduces security requirements for connected devices sold in the US. It defines “connected device” as any device that connects directly or indirectly to the internet and has an IP or Bluetooth address. SB 327 specifically states:
The bill, effective January 1, 2020, requires manufacturers of a connected device, to equip the device with a reasonable security feature or features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified.
So what does ‘reasonable security feature’ mean? It is defined explicitly: If someone can log into the device outside a LAN, then it must have either pre-programmed passwords that are unique to each device (hence, no more default login credentials), or a way to generate new authentication credentials before accessing it for the first time.
My Advice: Even if you believe SB 327 does not apply to your organization, you should ensure compliance with the mandate. It is a start to raising the security of IoT devices within organizations. Organizations, within the scope of their cybersecurity risk assessment, must identify all such connected devices and the risk these devices may introduce to the business. Policies must be updated to address SB 327. And, ensure the devices are appropriately hardened.
To learn more, or a complimentary Webinar, contact Ali.Pabrai@ecfirst.com.
Date: October 01, 2019