Cybersecurity laws reflect one area that governments and regulatory bodies worldwide are grappling with, as the threat landscape evolves, the mindset towards security shifts, and the speed at which solutions are put out to market rapidly gather pace.
Historically, IoT devices are designed for convenience, ease of use and ease of access in mind. Security considerations have sometimes taken a back seat, as devices are shipped with default passwords, lack encryption and are not regularly updated with security patches which makes them vulnerable to hacks which exploit outdated firmware.
As Kamran Jehangir, Technical Consultant at Eseye rightly pointed out in an exclusive conversation with IoT Insider, the growth of smart home devices, which means the scope of what devices are connected to the Internet – like “smart” fridges and “smart” printers – has not only increased the number of devices being released, but necessitate regulation to ensure that security during the design and development of these devices isn’t an afterthought.
What cybersecurity laws are in place?
Depending where you are in the world, cybersecurity laws are stringent, or just beginning to catch up with the devices, individuals and data that are vulnerable to attacks.
In the United States, the IoT Cybersecurity Improvement Act of 2020 mandated that the National Institute of Standards and Technology (NIST) establish standards federal organisations need to follow when acquiring connected devices.
There’s also the US Cyber Trust Mark, a scheme brought forward by the Federal Communications Commission (FCC) which is expected to come into play later on in 2024. It is expected to initially apply to wireless consumer IoT devices such as home security cameras, fitness trackers and baby monitors. It will appear on devices that meet its cybersecurity standards.
Within the European Union (EU), the GDPR Act requires companies to protect personal data and report breaches within a specific timeframe. At the time the Act came out, it was noted for the impact it had on general awareness around personal data protections.
The Cyber Resilience Act (CRA), which is currently proposed and has not come into force yet, but is expected to have a significant impact on the security of software, hardware and devices that are sold within the EU. The NIS2 Directive, which will expand the scope of the original Network and Information Security (NIS) Directive, will come into law this October.
The Act is part of the EU’s broader strategy to improve the security of its market in response to the growing number of cyber attacks and threats which are particularly poignant in the context of IoT.
The Product Security and Telecommunications Infrastructure (PSTI) Act, which came into law on the 29th April, is exclusive to the UK. It mandates that IoT devices meet specific security requirements, with key provisions being banning default passwords, ensuring devices can receive security updates and require manufacturers to be transparent about security reporting.
The challenges for device manufacturers
One major challenge for IoT device manufacturers is in untangling the requirements of each regulation. As pointed out in the interview with Jehangir, he said that a smart printer falls under the requirements of the PSTI Act because it connects to Wi-Fi and is classified as a consumer product. Medical devices and EV chargers don’t apply.
The other major challenge for manufacturers is knowing which legislation to follow, as there are different regulations across the world. Some are mandated by law, like the PSTI Act and the CRA, when it comes into force, while others are voluntary, like the US Cyber Trust Mark. Cybersecurity laws are quite fragmented, and device manufacturers selling devices in different countries will need to comply accordingly.
For further resources on what the CRA, PSTI Act and NIS2 Directive entails, follow the links to learn more from industry experts.
There’s plenty of other editorial on our sister site, Electronic Specifier! Or you can always join in the conversation by commenting below or visiting our LinkedIn page.