Applicable IoT legislation in California

4S Industrie BV – February 10, 2020
Branche
Industrial automation

 The IoT devices, smart homes and connected devices should make our lives easier. That sounds great for everyone and who wouldn't want to remotely adjust the temperature in their apartment via porridge? 

Internet-enabled systems and devices are now a major IT security risk. The state of California in the United States is the first in this country to adopt a law (SB-327) on IT security for the IoT (Internet of Things), which has been in effect since January 1, 2020.

This law applies to all devices that are directly or indirectly connected to the Internet and sets a minimum requirement for the IT security of the device.

The SB-327 law obliges manufacturers to ensure adequate security and, above all, not to use default passwords.

MB connect line's interpretation of this law is as follows:

  • The security level of the device must be adapted to the application or use case. For example, a sensor that only provides data requires different measures than a remote access router that provides access to sensitive data. For this purpose, the IEC 62443-4-2 in combination with the Teletrust test scheme has been used in the development and production of our devices.

  • The security device is intended to protect against hackers who want to access and modify the device. For example, the device must not accept modified firmware from third parties and must show a safe boot process. We at MB connect line sign our firmware and the firmware is stored on the device with trust anchors to be tamper-proof. In addition, all security keys are stored in a hardware secure element and cannot be viewed by software.

  • If a device is accessible via the public internet, the device must either;

    a) have an individual password (certainly not a default password such as admin / admin or similar) or;

    b) the user is forced to set a password during commissioning, our systems are supplied with secure individual passwords.

    • MB connect line meets the devices mbNETmbNET.rokey and mbNETFIX for 100% to bill SB-327. You can find more information about the security features of our devices here.

    Conclusion:

    The planned norms and standards, such as IEC 62443, are of international importance and have an increasing influence on future devices and solutions. However, the following still applies:
    Safety is not a product, but a process that you must also live. California shows here that you should at least set standards. Minimum requirements, such as regulating secure passwords by law, are in any case not a bad idea.

    Related articles

    view profile

    The municipality of Amsterdam standardizes on mbNET for remote management of its buildings (Success story)

    Industrial automation Consulting and engineering Automation services Hardware for automation
    4S Industrie BV
    June 1, 2021

    Success story: VTM sends machine data securely to Office 365 (PowerBI)

    Industrial automation Asset management/Maintenance software Data acquisition systems/ Historians Automation services
    4S Industrie BV
    April 12, 2021
    © FHI 2024
    FHI, federatie van technologiebranches
    nl_NLNederlands
    nl_NLNederlands