Cybersecurity Incidents Lead to New Standards, Requirements

Axis Communications’ Wayne Dorris Discusses How Mirai, SolarWinds Have Pushed the United States and European Union to Act

Major cybersecurity breaches have historically led to standards and legislation across the globe aimed at preventing similar incidents, up to and including the recent announcement from the White House about a new cybersecurity labeling program for Internet of Things (IoT) devices. Similarities in standards from different countries are helping global manufacturers comply.

Virtually no security manufacturers are exempt from the perils of cybercrime. If an event were to occur, the results could be ruinous on many levels, particularly financial. Cybercrime is the greatest threat to every company in the world, according to a Cybersecurity Ventures report that expects global cybercrime costs to grow by 15% per year over the next three years, reaching a level of $10.5 trillion by 2025. The vast costs of cybercrime include damage and destruction of data, financial loss, theft of intellectual property, theft of personal and financial data, loss of productivity, disruption to business and reputational harm.

Because the traditional security industry relies on a multitiered model where many products go from manufacturer to distributor to security integrator to end user, manufacturers often are unaware of the final destinations of – and applications for – their products. Therefore, they should understand the provisions of relevant cybersecurity standards – not just those in the United States but around the world.

Many cybersecurity standards in the U.S. are directed at the 16 critical infrastructure sectors identified by the U.S. Department of Homeland Security (DHS). Video surveillance, access control, intrusion detection, and intercom systems are commonly deployed in all 16 DHS-defined sectors. Physical security device manufacturers must ensure that their products have a secure default baseline with additional hardening measures able to be configured. Complying with cybersecurity standards is good business, regardless of whether or not such compliance is mandated and enforced.

While some cyber professionals may want to know what to expect in the future, it is difficult to anticipate coming requirements. At their foundation, cybersecurity standards – and subsequent legislation that puts teeth into many standards – almost always are based on the fallout from cybersecurity incidents. The two most significant recent incidents in the cybersecurity timeline were the Mirai botnet of 2016 and the SolarWinds breach of 2020.

The Mirai Botnet

The Mirai botnet was responsible for some of the biggest and most disruptive distributed denial-of-service (DDoS) attacks in the eastern U.S. and parts of Europe. The malware attacked and infected IoT devices, such as smart home security cameras and routers, by using default username and password combinations, turning the devices into malicious bots that attacked larger networks. This led, over several days, to massive website outages that affected some of the internet’s most prominent sites, including Amazon, Twitter, Netflix, PayPal, Reddit and others.

The response to Mirai from both the U.S. and Europe was a call for a basic level of security in all IoT devices. Many security industry products, like network surveillance cameras, are considered to be at the high end of the IoT scale; however, there are many low-end, consumer IoT products that have limited security features because they are created quickly, are low cost, or are too small to contain extensive compute power.

Four years after Mirai, the IoT Cybersecurity Improvement Act of 2020 required the National Institute of Standards and Technology (NIST) to develop standards and guidelines for federal agencies on how to secure IoT devices. Following up on the consumer IoT baseline that NIST had developed in 2017, more measures were added to raise the security requirements for devices going onto a federal network.

An additional response to the Mirai cyberattack, as well as ongoing attacks on critical infrastructure, was the establishment by DHS of the Cybersecurity and Infrastructure Security Agency (CISA) in 2018. CISA is the operational lead for federal cybersecurity and the national coordinator for critical infrastructure security and resilience. 

The SolarWinds Breach

In 2020, SolarWinds Corporation was at the center of what Microsoft President Brad Smith described as “the largest and most sophisticated attack the world has ever seen.” The hack targeted the network management company’s Orion software, injecting it with malware that was then sent to approximately 18,000 public and private organizations through a customer software update. This “supply-chain cyberattack” gave hackers wide access to both government and corporate information systems.

The response in the U.S. to the SolarWinds breach was a May 2021 executive order by the Biden administration (EO 14028) that charged multiple agencies – including NIST – with enhancing cybersecurity through a variety of initiatives related to the security and integrity of the software supply chain. One of the key components of the order is that it provides clarity on how the government and private sector should collaborate to improve cybersecurity.

Some of the provisions of EO 14028, which directs that “all federal information systems should meet or exceed the standards and requirements for cybersecurity,” came from existing NIST guidelines, such as the Secure Software Development Framework (SSDF). This is an important tool as most IoT devices were focused on coding only what was needed for the device to function. SSDF ensures that password complexity, authentication, encryption, software updates, and vulnerability management occur throughout a product’s life cycle. Putting security into software in the design phase is more efficient than trying to change or adapt code after it has been released. EO 14028 requires that companies that license or sell software to federal agencies attest that they follow SSDF guidelines.

SSDF provides software developers with a set of practices that, when implemented, help reduce vulnerabilities. Some manufacturers, especially global ones, may already have been in compliance with SSDF, because the principles are also a part of the European Union’s Secure by Design framework.

Another key component of EO 14028 is the directive to issue guidance identifying practices that enhance the security of the software supply chain. Companies that the federal government procures products from must provide a software bill of materials (SBOM) for each product, either directly or by publishing it on a public website. Consider the operating system of a camera or audio device, for example. In addition to the manufacturer’s own code, that operating system also may contain open-source software and be built up from thousands of other components.

During product procurement, an SBOM provides the government with a formal record of the details and supply chain relationships of various parts used in developing software. This requirement is a response to not knowing, with SolarWinds, exactly what components were part of the Orion software. It can help agencies stay informed about which pieces are secure and which may have vulnerabilities.

With EO 14028, the federal government also turned to “zero trust” architecture – a security model, a set of system design principles, and a strategy based on an acknowledgement that threats exist both inside and outside traditional network boundaries. It eliminates implicit trust in any one element, node, or service and replaces it with continuous verification of the operational picture via real-time information from multiple sources to determine access and other system responses. If a device is compromised, zero trust can help contain the damage.

The European Union, in response to the SolarWinds breach, issued the NIS2 Directive in November 2022. NIS2 prescribes minimum security requirements and mandates the reporting of serious incidents to national authorities or the European Computer Security Incident Response Team. While its earlier iteration, NIS1, already applied to essential businesses, the new directive also covers “important” medium and large companies, such as those in manufacturing and the food industry, digital providers, postal and courier services and several others.

NIS2’s cybersecurity requirements, in essence, mimic those found in EO 14028. In addition to four overarching directives that focus on risk management, corporate accountability, reporting obligations and business continuity, there are 10 baseline security measures that essential and important businesses must implement:

• Risk assessments and security policies for information systems
• Policies and procedures for evaluating the effectiveness of security measures
• Policies and procedures for the use of cryptography and, when relevant, encryption
• A plan for handling security incidents
• Security around the procurement of systems and the development and operation of systems; this means having policies for handling and reporting vulnerabilities
• Cybersecurity training on basic computer hygiene
• Security procedures for employees with access to sensitive or important data, including policies for data access; affected organizations must also have an overview of all relevant assets and ensure that they are properly handled
• A plan for managing business operations during and after a security incident; this means that backups must be up to date, and there must also be a plan for ensuring access to IT systems and their operating functions during and after a security incident
• The use of multifactor authentication, continuous authentication solutions, voice, video and text encryption and encrypted internal emergency communication, when appropriate
• Security around supply chains and the relationship between the company and direct supplier; companies must choose security measures that fit the vulnerabilities of each direct supplier and must assess the overall security level for all suppliers

Some Alignment Among Standards

EO 14028 and NIS2 show how two major global entities have worked to align cybersecurity requirements. This is particularly seen in such requirements as multifactor authentication and zero trust, the unification of incident response and reporting obligations.

However, one stark difference between EO 14028 and NIS2 concerns penalties. While EO 14028 is intended to help private companies become more cybersecure, there are no penalties – financial or otherwise – that can be imposed. Under NIS2, though, companies that fail to comply after a warning risk being fined up to 10 million euros or 2 percent of the organization’s global annual revenues. As the NIS2 directive is set to be transposed into law by Oct. 17, 2024, affected organizations should take steps to improve their cybersecurity posture in order to prepare for compliance. This includes global manufacturers who already sell products in EU countries.

Cybersecurity Labeling Program

One section of EO 14028 directs the secretary of commerce to initiate pilot programs to educate the public on the security capabilities of IoT devices and software development practices, and to consider ways to incentivize manufacturers and developers to participate in these programs.

On July 18, 2023, the Biden administration announced a cybersecurity certification and labeling program to help American consumers more easily choose smart devices that are safer and less vulnerable to cyberattacks. The new “U.S. Cyber Trust Mark” program proposed by the Federal Communications Commission (FCC) would raise the bar for cybersecurity across common devices, including smart appliances, smart home control systems, smart personal devices and more. In addition, several major electronics, appliance and consumer product manufacturers, retailers and trade associations have made voluntary commitments to increase cybersecurity for the products they sell. Under the proposed federal program, consumers would see a new shield logo on products that meet cybersecurity criteria published by NIST. The FCC is seeking public comments on the program, which is expected to be up and running by late 2024.

As cyber criminals get more sophisticated, cybersecurity protections must become more advanced. Cybersecurity standards can help address threats and provide guidance on secure methods of product development, security controls, vulnerability and life cycle management. As NIST explains, “Well-developed cybersecurity standards enable consistency among product developers and serve as a reliable metric for purchasing security products.”