Saving us from demented smart things

Steve Hanna of Infineon Technologies

The Good, the Bad and the Ugly of IoT security regulations

From smart cars to smart factories, the Internet of Things (IoT) is transforming every aspect of modern life. Deployment of smart, connected devices delivers many benefits, says Steve Hanna, senior principal, Infineon Technologies, but also brings a very real threat of cyberattacks that can harm innocent users.

Governments from the USA to the European Union and from the State of California to Singapore are creating IoT security regulations designed to keep us safe in this new, connected world (see Figure 1). But how can we distinguish the good regulations from the bad and the ugly, which will leave us all less secure?

IoT security regulation emerging worldwide

Governments are working hard to find the best solution for this problem. Some are imposing regulations that mandate appropriate security for any IoT device. Some are providing incentives for more secure IoT devices, such as “Secure IoT” labels or government purchases. But whatever the mechanism, certain common sense principles should apply.

Good regulation or bad?

Three fundamental tests distinguish good IoT security regulations from bad ones:

  • Is it risk-based? A smart chemical plant needs more security than a smart toy because the risk is greater if a malfunction should occur. Thus, a one-size-fits-all approach to IoT security regulations won’t work. The higher the risk, the greater the security needed.
  • Is the regulation dynamic? Cyber threats constantly change and regulators can be left playing ‘catch up’. If regulation is static with ‘hard-coded’ rules it will soon be obsolete. A better approach is for regulation to reference separate, more dynamic documents – for instance, standards developed and regularly updated by industry groups based on best practices.
  • Is there a motivation to comply? If companies have no motivation to comply, many will just not bother.

Now let’s look at regulations proposed or in place in various parts of the world and assess them against our scorecard (figure 2).

Scorecard assessment of existing and emerging regulations
  • The California IoT Security Bill, SB-327, was the first law of its kind in the US and came into effect on January 1, 2020. Manufacturers of IoT devices sold in the state are now required to equip each product with ‘a reasonable security feature or features’. Safe harbour terms say that devices meet this bar if they either include a unique pre-programmed password for remote access or require users to generate a new authentication means before first access.

Clearly SB-327 passes the motivation test – you cannot sell products in California unless you comply. However, it is neither risk-based nor dynamic. Indeed, it is arguably already obsolete as the use of passwords becomes superseded by cryptographic methods. There is also no mention of regular updates; one thing that everybody recognises as essential for IoT devices.

  • The IoT Cybersecurity Improvement Act of 2019 is a bill before the US Senate and House of Representatives that concerns IoT devices purchased by federal agencies. The bill requires the National Institute for Science and Technology (NIST) to provide recommendations for the US government on security for IoT devices and calls for co-ordinated disclosure of vulnerabilities. NIST is already working on a risk-based framework and companies must comply if they want to sell to the US government, so this legislation does well on all three test criteria.
  • The UK government recently issued the Code of Practice for Consumer IoT Security. This publication presents a list of 13 principles for consumer IoT security, such as unique passwords and secured communications. However, these principles are static and limit flexibility. Because the code is voluntary and therefore lacks motivation, few companies have adopted it, which supports the argument that voluntary compliance simply doesn’t work.

In the summer of 2019, the UK government consulted publicly on three options for mandating security requirements for consumer IoT devices:

  1. Requiring retailers to sell only consumer IoT products with an IoT security label, to be issued when manufacturers self-assess that they meet the top three principles in the code of practice mentioned earlier.
  2. The same requirement with no label
  3. Requiring devices to meet all 13 principles.

Although these proposals would add motivation to comply, the importance of risk-based analysis and dynamic regulation are still not addressed.

  1. In the EU, the Cybersecurity Act (CSA) came into force in June 2019 and includes the first EU-wide cybersecurity certification framework for ICT products, services and processes. The act will create multiple schemes for different categories and extends the mandate of ENISA, the EU Agency for Cybersecurity, to establish requirements for each security level. Although risk-based and dynamic, it is currently voluntary and so lacks motivation at the present time. In the future, the EU Commission or individual nations may decide to make certifications mandatory.
  2. Singapore’s Cybersecurity Act, on the other hand, addresses all three criteria quite well. Effective since March 2018, it creates a national Cyber Security Agency (CSA) empowered to establish codes of practice and standards of performance for owners of critical information infrastructure such as transport or energy. Obliging owners to protect their data and networks, it is risk-based and mandatory at the discretion of the CSA.

Where do we go from here?

Policymakers should ensure that any proposed IoT security regulations are risk-based, dynamic, and motivated. The differences between national standards in this area introduce complexity and the possibility of conflict. Thus international standards and norms will eventually be developed. However, IoT security is a relatively new field and things are changing fast. For now, international norms should be flexible and limited in scope.

Individuals and organisations deploying or building IoT systems must directly address the security risks of these systems, including indirect impacts that infected devices may cause. Thus, they have a duty to keep their systems in compliance with the latest security principles and regulations, including applying best practices for risk management and IoT security. In this respect, the industrial cybersecurity standard IEC 62443 and the IoT Security Foundation’s Best Practice Guide are excellent references.

At the same time, we should remain ready to adapt as threats evolve and be sure to watch for – and be involved in – the drafting of new regulations, commenting diligently on consultations wherever there is the possibility. Above all, we need to voice our opinions, both individually and collectively, to ensure we get regulation that works. Good regulation benefits us all while bad regulations can slow or stop the adoption of new and effective IoT security practices and even of the IoT itself.

The author is Steve Hanna, senior principal at Infineon Technologies

About the author

The author, Steve Hanna is a senior principal at Infineon Technologies. On a global basis, he is responsible for IoT security strategy and technology. Within the Trusted Computing Group, he co-chairs the Embedded Systems Work Group, IoT Sub Group, and Industrial Sub Group. He is a member of the Security Area Directorate in the Internet Engineering Task Force and co-chair of the Industrial IoT Security Work Group in the International Society of Automation.

Hanna has a deep background in information security, especially in software and systems. He is an inventor or co-inventor on 48 issued patents, the author of innumerable standards and white papers, and a regular speaker at industry events. Steve Hanna holds a Bachelor’s degree in Computer Science from Harvard University.

Comment on this article below or via Twitter: @IoTNow_OR @jcIoTnow


9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, iot home automation is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more

Snow Software study uncovers the realities vs. the promises of cloud

Posted on: October 26, 2021

26 October, 2021 –Snow Software, the global provider of technology intelligence, unveiled findings from its most recent survey, based on the input from more than 500 IT leaders from organisations with over 500 employees in the United States and United Kingdom to determine the current state of cloud infrastructure.

Read more

CloudM announces Archive feature which save businesses time and money while meeting compliance demands

Posted on: October 26, 2021

CloudM, a SaaS data management platform, has announced the launch of Archive, a new feature which allows users to easily, automatically, and safely store and recover user data, helping businesses to remain compliant without facing the mounting user license fees associated with traditional archiving and ediscovery solutions.

Read more