The expansion in the IoT ecosystem is not only quantitative but also qualitative, as device technology becomes more complex and integral to various aspects of life. Examples include smart home appliances, wearables and industrial sensors in factories.
It is in this context that regulation is crucial to ensure these devices are safe, secure, and protective of user privacy. The unique characteristics of IoT products – its diversity in its cross-industry applications, in the volume of data it generates, etc – pose significant regulatory challenges.
IoT security is a critical area of regulatory focus. The connectivity of IoT devices creates a broad attack surface for cyber threats. In 2016, the Mirai botnet attack hijacked unsecured IoT devices to launch large-scale distributed denial-of-service attacks. Variants of Mira are still with us today.
Governments around the world are creating IoT security legislation and regulations designed to keep users safe in an increasingly connected world. A failure to meet government regulations or guidelines may result in the inability to distribute products in a region. There is value in security certifications that can help to satisfy current and future government requirements, and that can help to implement security defences.
Regulatory efforts in IoT security include the development of standards and guidelines. In the U.S., the National Institute of Standards and Technology (NIST) has published guidance on IoT cybersecurity e.g., standard NISTIR 8425 expresses the requirements specifically for consumer IoT applications. The UK government has introduced a Code Of Practice for consumer IoT security. The ETSI – European Telecommunications Standards Institute – published standard EN 303645 which provisions a set of 13 categories of recommendations and is increasingly adopted across the world; this in fact had evolved from the UK Code Of Practice.
Although such guidelines were initially voluntary, we are now seeing them gradually becoming mandatory across the globe.
What about data privacy and protection?
IoT devices often collect sensitive personal information including location data and personal health statistics. We need to ensure the privacy and security of this data.
The European Union’s General Data Protection Regulation (GDPR) includes provisions that affect IoT, setting a precedent for data privacy. It mandates strict data handling procedures and grants individuals the rights over their personal data. Likewise, the California Consumer Privacy Act (CCPA) provides consumers with rights over their personal information collected by companies.
These regulations face challenges in enforcement and applicability for devices that cross international borders. Given the diverse nature of IoT devices, a one-size-fits-all approach to data privacy may not be achievable.
IoT security measures in the EU
29th April 2024 will see the UK’s first consumer connectable product security regime come into effect. This is the Product Security and Telecommunications Infrastructure (PSTI) Act, which will require IoT device manufacturers, distributors, and importers to no longer allow products on the UK market to use default passwords, mandates to confirm how long security updates will be provided, and to require products to have a vulnerability disclosure policy.
In the European Union, the Cyber Resilience Act (C.R.A.) is being developed to improve security for all Internet-connected devices sold in Europe where security isn’t currently mandated. It is proposed that devices have an “appropriate level of cybersecurity enabled in devices”, specifying default configuration, the prohibition of sale of products with known vulnerabilities, and that security incidents be mitigated.
The C.R.A. guarantees a framework of cybersecurity requirements governing the planning, design, development, and maintenance of IoT products, with obligations to be met at every stage of the value chain. It is likely to eventually cover a series of standards, including the EN 303645. It is likely that we will see the ‘CE’ marking extended to affirm that products comply with the new cyber security standards, so that consumers and businesses can make a judgment on how secure the products are. We will see products categorised depending on the level of risk associated with the product, and we will see differentiated levels of security assessment (Certification) associated with those categories.
In parallel with the C.R.A, the EU has also developed a revision to the Radio Equipment Directive (RED) that will require all devices with a radio to comply further mandatory cybersecurity requirements in order to be sold on the EU market, to be enforced from 2025.
IoT security measures in the US
The year 2023 saw the USA government announce plans for a Consumer IoT Product Labelling programme that will provide security guarantees, recommended configuration, and long-term security maintenance for consumer IoT products, to be called the “US Cyber Trust Mark”. A voluntary scheme, it will guide Americans to more easily choose smart devices that are safer and less vulnerable to cyberattacks.
This label will reward products that meet the requirements of the afore-mentioned NISTIR 8425 standard by permitting them to display the label. The products will be listed in a US government registry indicating that their cybersecurity has been tested and certified as compliant with US government standards.
Securing Industrial IIoT – protecting our Critical National Infrastructure (CNI)
The Network and Information Systems Directive, or NIS2, which entered into force on 16 January 2023, and which replaced NIS1, aims to eliminate divergences in implementing the repealed NIS1. EU member states will have to transpose NIS2 into their national legislation by October 17, 2024.
The directive classifies certain industrial into public and private ‘essential’ and ‘important’ entities. The ‘important entities’ includes the manufacturing sector – highly relevant for the IoT market. The manufacturing floor could be thought of as a network of physical objects embedded with Internet-connected sensors that collect and exchange data. The IoT helps manufacturers optimise production processes and reduce downtime.
For example, NIS2 mandates the disclosure and handling procedures for vulnerabilities; cybersecurity requirements in terms of secure supply chain relationships in the business. Bearing in mind that an IoT product will compose multiple components in its own supply chain – hardware, software, and services – each with its own vulnerabilities, then it can be seen the importance of IoT products in satisfying the NIS2 requirements.
The afore-mentioned Cyber Resilience Act Regulation is intended to complement the NIS2 Framework.
The UK’s National Cyber Security Centre’s Cyber Assessment Framework is an assessment method, intended to meet both NIS Directive requirements and wider CNI needs.
The IEC 62443 series of standards builds on established standards for the security of general-purpose IT systems, focussing on Industrial Automation and Control Systems (IACS). Within this series, the 62443-4-3 standard specifies the technical security standards for IIoT. It refers to integration of IIoT with cloud-based functionality into IACS. It also talks about Zero Trust architecture, a relatively new and evolving approach to network design that removes inherent trust from a network, treating it as hostile and instead gaining confidence in trust of a connection.
Conclusions
Governments, device manufacturers and consumers are increasingly focused on IoT security risks than ever as it dawns on all that no or basic security is no longer optional. IoT device cybersecurity will accelerate through the upcoming years, with increasingly active government security regulations driving adoption through the IoT device supply chain.
Designers of Internet-connected products would be wise to build into their products a generous margin of cybersecurity beyond today’s minimum requirements (the ‘Secure By Design’ principle). In this way, they can look forward to being able to satisfy the ever-rising bar of regulations to sell their products globally. Just as important (or even more so), their products and customers will be well protected against cyber-attacks.
Today, you can typically comply with regulations by establishing some basic procedures, such as establishing a vulnerability disclosure policy, and by accompanying your product with a ‘statement of compliance’.
It would be wise to seek compliance with as many of the requirements as possible of established standards such as EN 303645, as regulations become more stringent. Companies such as The IASME Consortium and British Standards Institute can aid manufacturers achieve compliance both with existing regulations and guide manufacturers to improve their products’ security.
The direction of travel is that cyber security will be mandated by governments to be built into products, and example being hardware-based security mechanisms such as tamper-resistant chips.
Having security at the hardware level is crucial. Secure By Design and Secure By default – this is what the IoT industry should be aiming for.
Martin Duffy is a Cyber Security Consultant at Forti5, where he brings skills in Cyber Security, IoT; Operational Technology, Design Engineering, Consumer Electronics, Application Specific Integrated Circuits, and Data Storage technologies.