California IoT law in force

The state of California in the USA was the first of its country to pass a law (SB-327) on IT security for IoT (Internet of Things)

IoT devices, smarthomes and connected devices should make our lives easier. That sounds very good to everyone and who wouldn’t like to remotely set the temperature in their apartment via the app?

Systems and devices with internet access are a significant IT security risk these days. The state of California in the USA was the first of its country to pass a law (SB-327) on IT security for IoT (Internet of Things) and that has been in force since January 1, 2020.

It applies to all devices that are directly or indirectly connected to the Internet and places a minimum requirement on the IT security of the device.

Law SB-327 requires manufacturers to ensure adequate security and, above all, not to use default passwords.

Our interpretation of this law is as follows:

1. The security level of the device must be adapted to the application or usecase. For example, for a sensor that only provides data, other measures are required compared to a remote maintenance router that gives access to sensitive data. For this purpose, we used the IEC 62443-4-2 in use with the Teletrust test scheme when developing and manufacturing our devices.

2. The security device is intended to protect against hackers who want to access and modify the device. For example, the device should not accept third-party modified firmware and demonstrate a secure boot process. We at MB connect line sign our firmware and our firmware trust anchors are tamper-proof burned onto the device. In addition, all security keys are stored in a hardware-secure element and cannot be viewed by software.

3. If a device can be accessed via the public Internet, then the device should either a) have an individual password (definitely not a standard password like admin / admin or similar) or b) the user is forced to set a password during commissioning, our systems are delivered with secure individual passwords.

With our devices mbNET and mbNETFIX we are 100% compliant with the law SB-327. You can find out more about the security features of our devices here.

Conclusion:

The planned norms and standards, such as IEC 62443, are of international importance and have an increasing impact on future devices and solutions. Nevertheless, the following still applies: Security is not a product, but a process that you also have to live. California shows here that at least you have to start setting a few standards. Minimum requirements, such as regulating secure passwords by law, are at least not a bad idea.

Find your sales partner

Find your personal contact person in your area.

Start your remote services

Are you looking for an all-in-one solution? Try our web-based remote access portal today.

u

We are here to help you

Questions? We can help you. For direct support, you can also call us.

Stay informed

Subscribe here to get updates on IoT and remote access solutions, products and features and get the latest cybersecurity updates.

You have questions?

Write us!

Allgemeine Anfrage EN

Callmeback

As an expert for secure remote access, IIoT and industrial security, we are committed to the highest standards in cyber security and the protection of industrial control systems.

With certifications such as IEC 62443-4-1, we are demonstrating a strong commitment to quality, security and trust in our development processes and products.

Our DNA: 100% IT-Security
for more than 25 years.

Red Lion Europe GmbH

Winnettener Str. 6
91550 Dinkelsbühl
Germany

Contact
Follow us