How the IoT Cybersecurity Improvement Act Shapes the Future of Connected Devices – What Businesses Need to Know

How the IoT Cybersecurity Improvement Act Shapes the Future of Connected Devices – What Businesses Need to Know

Security concerns have taken center stage in discussions about the Internet of Things (IoT). A recent survey found that nearly 50 % of U.S. companies that use IoT networks have suffered a security breach. The high frequency of incidents helped spark the IoT Cybersecurity Improvement Act of 2017, a federal bill that, while primarily aimed at vendors seeking government contracts, could set de‑facto standards for the entire industry.

The Act’s goal is simple: to establish minimal cybersecurity operational standards for any Internet‑connected device that a federal agency purchases or uses. Under the proposal, vendors must satisfy several requirements before they can sell to the government:

• Devices must be free of known vulnerabilities and defects.
• Devices must support regular, automated software updates.
• Devices must not contain fixed or hard‑coded credentials for remote administration, update delivery, or communication.

Because IoT devices are also ubiquitous in private networks, regulators and industry leaders anticipate that similar rules could be adopted beyond federal procurement. The stakes are high: Ted Koppel has warned that an IoT attack on the U.S. power grid could trigger a nationwide outage, and Israeli researchers demonstrated that a coordinated attack on “smart lightbulbs” could bring a city block of offices to a standstill.

High‑profile breaches, such as the DDoS attack on DNS provider Dyn that reportedly cost the company 8 % of its business, illustrate how devastating IoT‑centric attacks can be. Even as expectations for regulation rise, organizations must proactively secure their own networks.

Steps Every Company Should Take

Traditional security practices—patching, firewalls, anti‑spyware, and employee training—are necessary but not sufficient against the unique threats posed by IoT. The blend of cloud infrastructure and physically distributed devices demands a fresh security mindset. Here are concrete actions that can help you both defend against attacks and align with forthcoming legislation:

• Encrypt device‑level keys so each unit can be monitored and managed individually, rather than relying on a single gateway.
• Derive separate encryption keys for distinct functions (e.g., authentication, data encryption, firmware updates).
• Implement regular key rotation to limit the window of opportunity for a compromised device.
• Centralize visibility and control so you can quarantine or disable suspicious devices instantly.
• Adopt hardware‑based security modules, which provide tamper‑resistant protection that software alone cannot match, a strategy endorsed by analyst Patrick Moorhead.

According to IDC, global investment in IoT is projected to reach $1.4 trillion (€1.17 trillion) by 2021. Already, roughly 25 billion devices are connected, and a Hewlett Packard study found that 70–80 % lack adequate encryption or password protection. These gaps make them prime targets for sophisticated attacks, underscoring the urgency of robust security measures.

By adopting the steps above, companies can build resilient IoT ecosystems that safeguard sensitive data, protect critical infrastructure, and unlock the full economic potential of connected technology.

Author: Amir Haleem, CEO of Helium