Do the latest IoT security regulations have enough reach?

There’s been a rash of regulation around the world as governments seek to address IoT security. It’s a positive step, indicating the market is maturing but regulating the IoT space is not without its challenges. Such moves have inevitably met with resistance from those suggesting it could create IoT waste mountains, to others that say it could stymie innovation.

Consequently, each piece of legislation is slightly different. But how these regulations fare will shape the evolution of regulation to come making it important that we consider the measures being taken, where they excel and where they fall short, says Ken Munro, partner, Pen Test Partners.

  1. The IoT Cybersecurity Improvement Act 2017 (US): Aimed at controlling the IoT within the US government, the IoT Cybersecurity Improvement Act could hold profound implications for IoT development. Devices must not exhibit known security flaws in the NIST database, must support updates, must use fixed or hard coded credentials for remote admin, updates and communication, and vulnerabilities must be disclosed and repaired. However, limiting the flaws to NIST could see common issues not listed such as SQL injection in customer apps overlooked. It also fails to acknowledge that many RF protocols are designed to use no credentials at all so these devices would need to be scrapped or upgraded to support a tighter wireless protocol. The Act has yet to be passed and others on the table include Smart IoT Act, the DIGIT Act, the Security IoT Act, the Cyber Shield Act and the IoT Consumer TIPS Act.
  2. Cybersecurity Act (EU): Effective from May 2018, the legislation will see the European Union Agency for Network and Information Security (ENISA) become the agency for cybersecurity and a certification framework created for certifying connected cars and smart products across all EU member states. The Cybersecurity Act will only be mandated for Critical National Infrastructure. Manufacturers can request to have their IoT devices classified under a certification scheme as ‘basic’, ‘substantial’ or ‘high’ but the system is voluntary. In a bid to entice them, those going for the ‘basic’ level can “carry out conformity tests themselves”. The documentation states ENISA will have the power to “issue warnings targeting providers and manufacturers to improve the security” but there is no mention of how this will be enforced. It does make provision for complaints, allowing lobbyists and security researchers to whistle blow and responsibly disclose across the union.
  3. SB-327 (US): Passed in August 2018, SB-327 makes California the first US state to regulate smart tech. It mandates some basic security standards for consumer devices and will come into effect from January 2020. However, wording is vague referring to “appropriate” security that is “designed to protect”. Most devices could claim to have intended to protect the device/data thereby sidestepping the requirements. It makes unique passwords mandatory but fails to address the issue of whether there is a good source of entropy on the device. Retailers are also let off the hook, which could see the markets rammed with non-compliant tech pre-2020. There’s no stated requirement for these devices to support updates.
  4. Code of Practice for Consumer IoT Security (UK): Based on the Secure by Design draft proposal launched in March, the CoP issued by the Digital, Culture, Media and Sport (DCMS) now incorporates the General Data Protection Regulation (GDPR). While broad reaching, providing guidelines for manufacturers, mobile app developers, service providers and retailers, it is voluntary. The CoP states default passwords should not be used, credentials and security sensitive data should be stored securely, and software kept updated. However, while it recommends using a vulnerability disclosure policy it does not require vendors to issue a fix. Nonetheless, it is a very positive step forward for consumer IoT security.
Ken Munro

What’s clear is the authorities are very much in favour of a softly, softy approach which begs the question, will these standards be observed voluntarily? IoT vendors are under intense pressure to get their products to market. For them to adopt any form of regulation off their own backs would require there to be a significant advantage for them… or repercussions.

It’s here where the market itself could apply more pressure. Give consumers the right to return vulnerable smart goods for credit by enshrining this in trading standards legislation. Encourage the retail sector to commit to not stocking vulnerable devices. Manufacturers would then have more of an incentive to capitulate, to sign up to classification schemes and subject their devices to testing.

Right now, it’s too early to tell how effective self-regulation will be. We need to let the legislation bed down and give the industry the chance to adapt to what could be a pivotal moment for the IoT. Only then can we assess where we need apply more punitive measures.

The author of this blog is Ken Munro, partner, Pen Test Partners. He regularly briefs UK and US government departments as well as being involved with various EU consumer councils on IoT regulation.

Comment on this article below or via Twitter: @IoTNow_OR @jcIoTnow

RECENT ARTICLES

Semtech enhances global connectivity with NTN support in HL78 modules

Posted on: March 29, 2024

Semtech Corporation has announced the integration of non-terrestrial network (NTN) support into its HL series LPWA modules, specifically the HL7810 and HL7812. This significant advancement showcases a leap forward in enabling uninterrupted global connectivity even amidst the most challenging conditions.

Read more

Enhance EV charging performance with cellular connectivity

Posted on: March 28, 2024

Electric vehicles (EVs) are steadily growing their market share at the expense of internal combustion engine vehicles. The growth is fuelled by several factors. Perhaps most importantly, prices for EVs have started to drop as competition in the industry is intensifying. New players and models are emerging, prompting several established EV makers to lower their

Read more
FEATURED IoT STORIES

What is IoT? A Beginner’s Guide

Posted on: April 5, 2023

What is IoT? IoT, or the Internet of Things, refers to the connection of everyday objects, or “things,” to the internet, allowing them to collect, transmit, and share data. This interconnected network of devices transforms previously “dumb” objects, such as toasters or security cameras, into smart devices that can interact with each other and their

Read more

The IoT Adoption Boom – Everything You Need to Know

Posted on: September 28, 2022

In an age when we seem to go through technology boom after technology boom, it’s hard to imagine one sticking out. However, IoT adoption, or the Internet of Things adoption, is leading the charge to dominate the next decade’s discussion around business IT. Below, we’ll discuss the current boom, what’s driving it, where it’s going,

Read more

9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, home automation using iot is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more

5 challenges still facing the Internet of Things

Posted on: June 3, 2020

The Internet of Things (IoT) has quickly become a huge part of how people live, communicate and do business. All around the world, web-enabled devices are turning our world into a more switched-on place to live.

Read more