The Good, the Bad and the Ugly of IoT security regulations
From smart cars to smart factories, the Internet of Things (IoT) is transforming every aspect of modern life. Deployment of smart, connected devices delivers many benefits, says Steve Hanna, senior principal, Infineon Technologies, but also brings a very real threat of cyberattacks that can harm innocent users.
Governments from the USA to the European Union and from the State of California to Singapore are creating IoT security regulations designed to keep us safe in this new, connected world (see Figure 1). But how can we distinguish the good regulations from the bad and the ugly, which will leave us all less secure?
Governments are working hard to find the best solution for this problem. Some are imposing regulations that mandate appropriate security for any IoT device. Some are providing incentives for more secure IoT devices, such as “Secure IoT” labels or government purchases. But whatever the mechanism, certain common sense principles should apply.
Good regulation or bad?
Three fundamental tests distinguish good IoT security regulations from bad ones:
- Is it risk-based? A smart chemical plant needs more security than a smart toy because the risk is greater if a malfunction should occur. Thus, a one-size-fits-all approach to IoT security regulations won’t work. The higher the risk, the greater the security needed.
- Is the regulation dynamic? Cyber threats constantly change and regulators can be left playing ‘catch up’. If regulation is static with ‘hard-coded’ rules it will soon be obsolete. A better approach is for regulation to reference separate, more dynamic documents – for instance, standards developed and regularly updated by industry groups based on best practices.
- Is there a motivation to comply? If companies have no motivation to comply, many will just not bother.
Now let’s look at regulations proposed or in place in various parts of the world and assess them against our scorecard (figure 2).
- The California IoT Security Bill, SB-327, was the first law of its kind in the US and came into effect on January 1, 2020. Manufacturers of IoT devices sold in the state are now required to equip each product with ‘a reasonable security feature or features’. Safe harbour terms say that devices meet this bar if they either include a unique pre-programmed password for remote access or require users to generate a new authentication means before first access.
Clearly SB-327 passes the motivation test – you cannot sell products in California unless you comply. However, it is neither risk-based nor dynamic. Indeed, it is arguably already obsolete as the use of passwords becomes superseded by cryptographic methods. There is also no mention of regular updates; one thing that everybody recognises as essential for IoT devices.
- The IoT Cybersecurity Improvement Act of 2019 is a bill before the US Senate and House of Representatives that concerns IoT devices purchased by federal agencies. The bill requires the National Institute for Science and Technology (NIST) to provide recommendations for the US government on security for IoT devices and calls for co-ordinated disclosure of vulnerabilities. NIST is already working on a risk-based framework and companies must comply if they want to sell to the US government, so this legislation does well on all three test criteria.
- The UK government recently issued the Code of Practice for Consumer IoT Security. This publication presents a list of 13 principles for consumer IoT security, such as unique passwords and secured communications. However, these principles are static and limit flexibility. Because the code is voluntary and therefore lacks motivation, few companies have adopted it, which supports the argument that voluntary compliance simply doesn’t work.
In the summer of 2019, the UK government consulted publicly on three options for mandating security requirements for consumer IoT devices:
- Requiring retailers to sell only consumer IoT products with an IoT security label, to be issued when manufacturers self-assess that they meet the top three principles in the code of practice mentioned earlier.
- The same requirement with no label
- Requiring devices to meet all 13 principles.
Although these proposals would add motivation to comply, the importance of risk-based analysis and dynamic regulation are still not addressed.
- In the EU, the Cybersecurity Act (CSA) came into force in June 2019 and includes the first EU-wide cybersecurity certification framework for ICT products, services and processes. The act will create multiple schemes for different categories and extends the mandate of ENISA, the EU Agency for Cybersecurity, to establish requirements for each security level. Although risk-based and dynamic, it is currently voluntary and so lacks motivation at the present time. In the future, the EU Commission or individual nations may decide to make certifications mandatory.
- Singapore’s Cybersecurity Act, on the other hand, addresses all three criteria quite well. Effective since March 2018, it creates a national Cyber Security Agency (CSA) empowered to establish codes of practice and standards of performance for owners of critical information infrastructure such as transport or energy. Obliging owners to protect their data and networks, it is risk-based and mandatory at the discretion of the CSA.
Where do we go from here?
Policymakers should ensure that any proposed IoT security regulations are risk-based, dynamic, and motivated. The differences between national standards in this area introduce complexity and the possibility of conflict. Thus international standards and norms will eventually be developed. However, IoT security is a relatively new field and things are changing fast. For now, international norms should be flexible and limited in scope.
Individuals and organisations deploying or building IoT systems must directly address the security risks of these systems, including indirect impacts that infected devices may cause. Thus, they have a duty to keep their systems in compliance with the latest security principles and regulations, including applying best practices for risk management and IoT security. In this respect, the industrial cybersecurity standard IEC 62443 and the IoT Security Foundation’s Best Practice Guide are excellent references.
At the same time, we should remain ready to adapt as threats evolve and be sure to watch for – and be involved in – the drafting of new regulations, commenting diligently on consultations wherever there is the possibility. Above all, we need to voice our opinions, both individually and collectively, to ensure we get regulation that works. Good regulation benefits us all while bad regulations can slow or stop the adoption of new and effective IoT security practices and even of the IoT itself.
The author is Steve Hanna, senior principal at Infineon Technologies
About the author
The author, Steve Hanna is a senior principal at Infineon Technologies. On a global basis, he is responsible for IoT security strategy and technology. Within the Trusted Computing Group, he co-chairs the Embedded Systems Work Group, IoT Sub Group, and Industrial Sub Group. He is a member of the Security Area Directorate in the Internet Engineering Task Force and co-chair of the Industrial IoT Security Work Group in the International Society of Automation.
Hanna has a deep background in information security, especially in software and systems. He is an inventor or co-inventor on 48 issued patents, the author of innumerable standards and white papers, and a regular speaker at industry events. Steve Hanna holds a Bachelor’s degree in Computer Science from Harvard University.