California Passes the United States' First IoT Security Bill

Welcome to Thomas Insights — every day, we publish the latest news and analysis to keep our readers up to date on what’s happening in industry. Sign up here to get the day’s top stories delivered straight to your inbox.

IoT security gears

As we well know, the Internet of Things (IoT) is reshaping the state of modern work. From smart sensors for employee safety to increasingly accessible troves of data, the digital space counts the IoT among the top 11 technological innovations poised to shift our understanding of tomorrow’s manufacturing.

The IoT opens countless doors, creating networks of intelligent, connected devices. And those doors haven’t been required to lock — until now.

What Is California SB-327?

Originally introduced in February 2017, California SB-327 Information Privacy: Connected Devices has officially outpaced federal regulatory initiatives, finding its way to the desk of California’s governor Jerry Brown. With a signature, the bill goes into effect in January 2020.

The first state law to address security in the Internet of Things, the legislation requires manufacturers of “connected devices” to equip their technology with “a reasonable security feature or features.” These features must:

  • Be appropriate to the nature and function of the device.
  • Be appropriate to the information the device manages (that which it may collect, contain, or transmit).
  • Be designed to protect the device and any information contained in it from unauthorized access, destruction, use, modification, or disclosure.

Reasonable, They Say

Critics of the bill say that it’s difficult to get more vague than “reasonable security.” And while it covers a wide array of devices (anything that connects directly or indirectly to the internet, and has an IP or Bluetooth address), the mandate itself has earned credit for being “nice” but … well, weak.

Many are concerned with authentication. As stated, “If a connected device is equipped with a means for authentication outside of a local area network,” the authentication system must be designed without any kind of default password. There are two options for programming: either a preprogrammed password that must be unique and tied to the given device, or a built-in way of generating new credentials with user prompting for first-time device setup.

Goodbye, factory password Access1234.

The trouble — and greatest concern among many analysts — is that the bill stops here.

The Very Best Intentions

The loose interpretations of “reasonable security” could have deleterious effects. While the legislation offers a solid step in the right direction, critics readily point out a long list of low-hanging digital fruit just waiting for hackers to take advantage of. For example, most of these devices have no inherent security, nor a way to patch or update potential flaws.

Many IoT devices still have listening ports and other unnecessary features that have yet to be “hardened” against cyberattack. And no, we can’t trust firewalls to do all the work.

A series of legislative moves are set to come down the Congressional pipeline, perhaps with more explicit demands for vendors and users alike. In the meantime, we’ll be paying more attention to our passwords and working on in-house strategies to keep hackers at bay.


Image Credit: EtiAmmos/ 

Common Applications of BulkheadsNext Story »