Do the latest IoT security regulations have enough reach?
There’s been a rash of regulation around the world as governments seek to address IoT security. It’s a positive step, indicating the market is maturing but regulating the IoT space is not without its challenges. Such moves have inevitably met with resistance from those suggesting it could create IoT waste mountains, to others that say it could stymie innovation.
Consequently, each piece of legislation is slightly different. But how these regulations fare will shape the evolution of regulation to come making it important that we consider the measures being taken, where they excel and where they fall short, says Ken Munro, partner, Pen Test Partners.
- The IoT Cybersecurity Improvement Act 2017 (US): Aimed at controlling the IoT within the US government, the IoT Cybersecurity Improvement Act could hold profound implications for IoT development. Devices must not exhibit known security flaws in the NIST database, must support updates, must use fixed or hard coded credentials for remote admin, updates and communication, and vulnerabilities must be disclosed and repaired. However, limiting the flaws to NIST could see common issues not listed such as SQL injection in customer apps overlooked. It also fails to acknowledge that many RF protocols are designed to use no credentials at all so these devices would need to be scrapped or upgraded to support a tighter wireless protocol. The Act has yet to be passed and others on the table include Smart IoT Act, the DIGIT Act, the Security IoT Act, the Cyber Shield Act and the IoT Consumer TIPS Act.
- Cybersecurity Act (EU): Effective from May 2018, the legislation will see the European Union Agency for Network and Information Security (ENISA) become the agency for cybersecurity and a certification framework created for certifying connected cars and smart products across all EU member states. The Cybersecurity Act will only be mandated for Critical National Infrastructure. Manufacturers can request to have their IoT devices classified under a certification scheme as ‘basic’, ‘substantial’ or ‘high’ but the system is voluntary. In a bid to entice them, those going for the ‘basic’ level can “carry out conformity tests themselves”. The documentation states ENISA will have the power to “issue warnings targeting providers and manufacturers to improve the security” but there is no mention of how this will be enforced. It does make provision for complaints, allowing lobbyists and security researchers to whistle blow and responsibly disclose across the union.
- SB-327 (US): Passed in August 2018, SB-327 makes California the first US state to regulate smart tech. It mandates some basic security standards for consumer devices and will come into effect from January 2020. However, wording is vague referring to “appropriate” security that is “designed to protect”. Most devices could claim to have intended to protect the device/data thereby sidestepping the requirements. It makes unique passwords mandatory but fails to address the issue of whether there is a good source of entropy on the device. Retailers are also let off the hook, which could see the markets rammed with non-compliant tech pre-2020. There’s no stated requirement for these devices to support updates.
- Code of Practice for Consumer IoT Security (UK): Based on the Secure by Design draft proposal launched in March, the CoP issued by the Digital, Culture, Media and Sport (DCMS) now incorporates the General Data Protection Regulation (GDPR). While broad reaching, providing guidelines for manufacturers, mobile app developers, service providers and retailers, it is voluntary. The CoP states default passwords should not be used, credentials and security sensitive data should be stored securely, and software kept updated. However, while it recommends using a vulnerability disclosure policy it does not require vendors to issue a fix. Nonetheless, it is a very positive step forward for consumer IoT security.
What’s clear is the authorities are very much in favour of a softly, softy approach which begs the question, will these standards be observed voluntarily? IoT vendors are under intense pressure to get their products to market. For them to adopt any form of regulation off their own backs would require there to be a significant advantage for them… or repercussions.
It’s here where the market itself could apply more pressure. Give consumers the right to return vulnerable smart goods for credit by enshrining this in trading standards legislation. Encourage the retail sector to commit to not stocking vulnerable devices. Manufacturers would then have more of an incentive to capitulate, to sign up to classification schemes and subject their devices to testing.
Right now, it’s too early to tell how effective self-regulation will be. We need to let the legislation bed down and give the industry the chance to adapt to what could be a pivotal moment for the IoT. Only then can we assess where we need apply more punitive measures.
The author of this blog is Ken Munro, partner, Pen Test Partners. He regularly briefs UK and US government departments as well as being involved with various EU consumer councils on IoT regulation.