Posted by Rachael Plotkin, December 16, 2019
Silex Webinar Q&A: Everything You Need to Know About California's New Cybersecurity Legislation
Attendees asked a lot of great questions during the webinar Q&A session, and in case you were unable to attend, we wanted to share them, along with answers provided by our IoT experts:
- Are IoT devices connected by cellular networks affected by California's new IoT device legislation?
Yes, the legislation is not specific to the method of connectivity.
- Are client devices subject to the new laws?
Client devices are subject if they have a configuration interface that is accessible via a network connection or web forms.
- Will changes be made to SX-590's firmware to ensure it complies with the new regulations?
Silex has implemented the force new password method to ensure the user installs a unique password during that first use.
- What if a device uses a certificate instead of a password?
That would not require additional changes to be compliant. The use of a certificate to authenticate a client or server exceeds the reasonable requirements of the bill.
- Why enter new credentials to secure the device if the customer has already changed the password?
For devices already deployed, there is no need to update to the new compliant firmware. If the customer has already updated their password, they have taken appropriate steps to protect their unit. With that said, it is common for a customer not to their settings and continue using the default password. The legislation and required device update ensure that all users follow the "good practice" of providing a unique password.
- Why would you need to make a legacy product compliant with the new laws?
You do not - the bill does not state any requirements to update legacy products in the field. It does state that any products sold after January 1, 2020, must be compliant. However, if a legacy product is still on the market, the legislation will require it to be updated before continuing to sell it in California.
- Making a network inoperable after a firmware upgrade will not be well taken by customers.
If this comment relates to the need to enter new credentials after doing a firmware upgrade, this does not mean the product is inoperable. As with any update procedure handled by Silex, when a product's existing settings are retained through the update process, the only change that occurs is when initially returning to the unit to access the configuration, prompting a set of credentials to be entered.
- Does a Wireless Bridge that has no IP Address need to comply with the new laws?
If the unit has no IP address and is not accessible from the web or a connected network, and there is no configuration interface, it will not have to comply with the new legislation.
- If the new IoT bills have no penalty for not enforcing the new requirements imposed by the state of California, what good are they?
The expectation is that state agencies will monitor the impact of non-compliance. When a cybersecurity crime occurs that includes vulnerabilities linked to the bill, the state will prosecute the manufacturer of the non-compliant equipment depending on the extent of the damage caused by the cyber-crime.
- When you say "it's the manufacturer's responsibility" to comply with the new regulatory updates, what does that mean?
The bill defines the manufacturer as: "The person who manufactures, or contracts with another person to manufacture on the person's behalf, connected devices that are sold or offered for sale in California. For the purposes of this subdivision, a contract with another person to manufacture on the person's behalf does not include a contract only to purchase a connected device, or only to purchase and brand a connected device."
- Are embedded wireless customers (OEM's) responsible for their end products complying with the new legislation?
Yes, if they sell a connected product into California, they must comply with the legislation. For OEM's that have WLAN or other network component partners, we suggest they work with these partners to ensure that the connected subcomponent of their system provides a compliant solution.
- I am using a Silex module that has a static password. How can Silex help me?
First of all, please contact your sales representative, and we can provide direct advice on how best to proceed. For all of our current products, there will be firmware updates available before the end of 2019. If you use a customer or EOL device, Silex can work with you to ensure compliance as quickly as possible.
- Will all of Silex's impacted products listed and shipped after January 1, 2020, comply with the new regulations?
Yes - Firmware updates that meet the requirements of the new California's new legislation are currently available on the Silex website for the following products:
Updates to additional products will be made by January 1, 2020.
- I am relatively new to cybersecurity legislation. How can I stay in the know on these types of updates in the future? Any guidance?
Silex provides regular blog and press releases on cybersecurity issues related to the wireless industry. Beyond Silex, several other sources exist that can be utilized, from the central vulnerability database to specific interest groups that manage and monitor cybersecurity for particular industries.
- If I'm a distributor, it sounds like I am free to ship products into California with our without implementing this cybersecurity update. Is it ultimately the manufacturer who will be held accountable?
The intent is that distributors should not ship a product that is non-compliant after January 1, 2020. The bill does state that it is not your responsibility to make the product compliant but the manufacturers. If a distributor has a non-compliant product in their inventory after January 1, 2020, the distributor can determine the disposition between them and the manufacturer of the product. Note that this is a California only requirement at the moment and, therefore, only impacts sales within the state of California.