Do the latest IoT security regulations have enough reach?

There’s been a rash of regulation around the world as governments seek to address IoT security. It’s a positive step, indicating the market is maturing but regulating the IoT space is not without its challenges. Such moves have inevitably met with resistance from those suggesting it could create IoT waste mountains, to others that say it could stymie innovation.

Consequently, each piece of legislation is slightly different. But how these regulations fare will shape the evolution of regulation to come making it important that we consider the measures being taken, where they excel and where they fall short, says Ken Munro, partner, Pen Test Partners.

  1. The IoT Cybersecurity Improvement Act 2017 (US): Aimed at controlling the IoT within the US government, the IoT Cybersecurity Improvement Act could hold profound implications for IoT development. Devices must not exhibit known security flaws in the NIST database, must support updates, must use fixed or hard coded credentials for remote admin, updates and communication, and vulnerabilities must be disclosed and repaired. However, limiting the flaws to NIST could see common issues not listed such as SQL injection in customer apps overlooked. It also fails to acknowledge that many RF protocols are designed to use no credentials at all so these devices would need to be scrapped or upgraded to support a tighter wireless protocol. The Act has yet to be passed and others on the table include Smart IoT Act, the DIGIT Act, the Security IoT Act, the Cyber Shield Act and the IoT Consumer TIPS Act.
  2. Cybersecurity Act (EU): Effective from May 2018, the legislation will see the European Union Agency for Network and Information Security (ENISA) become the agency for cybersecurity and a certification framework created for certifying connected cars and smart products across all EU member states. The Cybersecurity Act will only be mandated for Critical National Infrastructure. Manufacturers can request to have their IoT devices classified under a certification scheme as ‘basic’, ‘substantial’ or ‘high’ but the system is voluntary. In a bid to entice them, those going for the ‘basic’ level can “carry out conformity tests themselves”. The documentation states ENISA will have the power to “issue warnings targeting providers and manufacturers to improve the security” but there is no mention of how this will be enforced. It does make provision for complaints, allowing lobbyists and security researchers to whistle blow and responsibly disclose across the union.
  3. SB-327 (US): Passed in August 2018, SB-327 makes California the first US state to regulate smart tech. It mandates some basic security standards for consumer devices and will come into effect from January 2020. However, wording is vague referring to “appropriate” security that is “designed to protect”. Most devices could claim to have intended to protect the device/data thereby sidestepping the requirements. It makes unique passwords mandatory but fails to address the issue of whether there is a good source of entropy on the device. Retailers are also let off the hook, which could see the markets rammed with non-compliant tech pre-2020. There’s no stated requirement for these devices to support updates.
  4. Code of Practice for Consumer IoT Security (UK): Based on the Secure by Design draft proposal launched in March, the CoP issued by the Digital, Culture, Media and Sport (DCMS) now incorporates the General Data Protection Regulation (GDPR). While broad reaching, providing guidelines for manufacturers, mobile app developers, service providers and retailers, it is voluntary. The CoP states default passwords should not be used, credentials and security sensitive data should be stored securely, and software kept updated. However, while it recommends using a vulnerability disclosure policy it does not require vendors to issue a fix. Nonetheless, it is a very positive step forward for consumer IoT security.
Ken Munro

What’s clear is the authorities are very much in favour of a softly, softy approach which begs the question, will these standards be observed voluntarily? IoT vendors are under intense pressure to get their products to market. For them to adopt any form of regulation off their own backs would require there to be a significant advantage for them… or repercussions.

It’s here where the market itself could apply more pressure. Give consumers the right to return vulnerable smart goods for credit by enshrining this in trading standards legislation. Encourage the retail sector to commit to not stocking vulnerable devices. Manufacturers would then have more of an incentive to capitulate, to sign up to classification schemes and subject their devices to testing.

Right now, it’s too early to tell how effective self-regulation will be. We need to let the legislation bed down and give the industry the chance to adapt to what could be a pivotal moment for the IoT. Only then can we assess where we need apply more punitive measures.

The author of this blog is Ken Munro, partner, Pen Test Partners. He regularly briefs UK and US government departments as well as being involved with various EU consumer councils on IoT regulation.

Comment on this article below or via Twitter: @IoTNow_OR @jcIoTnow


9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, iot home automation is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more

Global industry accelerating IoT adoption in response to Covid-19, new Inmarsat research reveals

Posted on: September 22, 2021

New research by Inmarsat, the provider of global mobile satellite communications, reveals a rapid increase in the maturity level of organisations adopting the industrial Internet of Things (IoT) since the start of the Covid-19 pandemic. Respondents drawn from multiple industries also reported that Covid-19 has demonstrated the importance of IoT to their businesses, with many accelerating

Read more

Nutanix cloud platform breaks down silos in hybrid multicloud operations

Posted on: September 22, 2021

Nutanix, a provider of hybrid multicloud computing, announced new features in the Nutanix Cloud Platform, including the launch of AOS version 6 software, to help enterprises build modern, software-defined data centres and speed their hybrid multicloud deployments.

Read more