California was the first state to establish a cybersecurity law covering "smart" devices. The bill, SB-327 Information privacy: connected devices, was introduced in 2017 and passed in the state senate in August 2017.
Starting in January 2020, any manufacturer of a device that connects "directly or indirectly" to the internet must equip it with "reasonable" security features, designed to prevent unauthorized access, modification, or information disclosure.
What does "reasonable" mean?
- If someone can log into the device outside a LAN, then it must have either preprogrammed passwords that are unique to each device (so, no more default login credentials) or a way to generate new authentication credentials before accessing it for the first time.
Amatis Controls compliance with SB-327
- Throughout our system we implement industry-standard security measures, leveraging its IPv6 backbone to stay up to date with the latest cybersecurity "best practices" and ensure compliance with the forthcoming IoT Laws (CA SB-317).
- We partner with Cybeats who provide active monitoring for cyber security threats and also ensure we follow best practices. They are also able to generate reports for us that identify any vulnerabilities we may have not addressed.
- The wireless communication used across our mesh network is called 6LoWireless, a robust protocol built for Amatis internet-connected devices. Amatis 6LoWireless is secure, encrypting all messages across the mesh network with AES 128-bit encryption.
- Amatis App and Dashboard users can connect to their assigned lighting controls sites outside a LAN if the site Amatis Border Router (AMBR) device remains connected to the cloud.
- Amatis App and Dashboard users are prompted to create individual accounts with unique passwords and the ability to change the password directly.
- The Amatis API requires user authentication with 2-factor authentication available