June 2, 2020

Last Updated on January 18, 2024


At least weekly we are chatting with Internet of Things (IoT) product vendors that are looking to get testing and an attestation that their devices are “CA SB-327 certified” or “CA SB-327 compliant.”
It’s amazing that something so small (the meaningful part of CA SB-327 is just 155 words) is having an impact so big. To put its length in perspective, Ricky Bobby’s “Dear Lord Baby Jesus” grace before dinner in Talledega Nights was 158 words (before he is interrupted by Carley Bobby). Yes, I am a huge fan of that film….
Like any prayer, what SB-327 doesn’t say is as, or more, important than what it actually does say (see the actual text at the end).
If you read SB-327 with a literal eye, you might assume that the only requirement is for the device to have a unique password. And we have spoken with a number of device manufacturers that have interpreted it exactly that way.
I couldn’t disagree more.
The most important phrase in the law is “…reasonable security feature or features.” The most important challenge in interpreting the law is deciding what “reasonable security” means. Companies that need to conform with the California Consumer Privacy Act (CCPA) are all too familiar with this challenge, as CCPA establishes a similar “reasonable security” standard.
Fortunately (or unfortunately) there is some precedent for interpreting this, which the California Attorney General’s Office provided in its 2016 California Data Breach Report. This report established reasonable security as being aligned with “an authoritative information security standard” such as  ISO 27001 or NIST SP 800-53. It later says “The 20 controls in the Center for Internet Security’s Critical Security Controls define a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security.”
Here are the 20 CIS Controls:

CSC 1 Inventory of Authorized and Unauthorized Devices
CSC 2 Inventory of Authorized and Unauthorized Software
CSC 3 Secure configurations for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
CSC 4 Continuous Vulnerability Assessment and Remediation
CSC 5 Controlled Use of Administrative Privileges
CSC 6 Maintenance, Monitoring, and Analysis of Audit Logs
CSC 7 Email and Web Browser Protection
CSC 8 Malware Defenses
CSC 9 Limitation and Control of Network Ports, Protocols, and Services
CSC 10 Data Recovery Capability
CSC 11 Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
CSC 12 Boundary Defense
CSC 13 Data Protection
CSC 14 Controlled Access Based on the Need to Know
CSC 15 Wireless Access Control
CSC 16 Account monitoring and Control
CSC 17 Security Skills Assessment and Appropriate Training to Fill Gaps
CSC 18 Application Software Security
CSC 19 Incident Response and Management
CSC 20 Penetration Tests and Red Team Exercises

Logically, this makes total sense. If access to assets is not properly managed/maintained/monitored and the assets themselves are not optimally patched/configured, good passwords aren’t going to save you.
One other issue that I have pointed out in other blogs on IoT testing is that a secure device does not make the overall IoT solution secure.  Most IoT solutions we test incorporate some combination of one or more devices, a cloud portal, cloud APIs and mobile apps.  If all of these are not properly secured, it likewise doesn’t matter if your device fully conforms with the CIS CSC.
One last thought: If you are going to use the CIS CSC, be sure to also use the guidance included in  “Internet of Things Security Companion to the CIS Controls.”
One last, last thought: It’s amazing how much two simple words like “reasonable security” can actually mean… I’m not sure they really needed the other 153. 😊
TITLE 1.81.26. Security of Connected Devices
1798.91.04.
(a) A manufacturer of a connected device shall equip the device with a reasonable security feature or features that are all of the following:

(1) Appropriate to the nature and function of the device.

(2) Appropriate to the information it may collect, contain, or transmit.

(3) Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.

(b) Subject to all of the requirements of subdivision (a), if a connected device is equipped with a means for authentication outside a local area network, it shall be deemed a reasonable security feature under subdivision (a) if either of the following requirements are met:

(1) The preprogrammed password is unique to each device manufactured.

(2) The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.

“Dear Lord Baby Jesus, or as our brothers in the South call you: ‘Hey-suz’. We thank you so much for this bountiful harvest of Dominos, KFC, and the always delicious Taco Bell. I just want to take time to say thank you for my family: my two beautiful, beautiful, handsome striking sons, Walker and Texas Ranger, or TR as we call him. And, of course, my red hot smokin’ wife Carley, who is a stone cold fox, who if you would rate her *** on 100, it would easily be a 94. I also want to thank you for my best friend and teammate, Cal Naughton Jr, who’s got my back no matter what… Dear Lord Baby Jesus, we also thank you for my wife’s father Chip. We hope that you can use your Baby Jesus powers to heal him and his horrible leg. It smells terrible and the dogs are always botherin’ with it. Dear Tiny Infant Jesus…”