Saving us from demented smart things

Steve Hanna of Infineon Technologies

The Good, the Bad and the Ugly of IoT security regulations

From smart cars to smart factories, the Internet of Things (IoT) is transforming every aspect of modern life. Deployment of smart, connected devices delivers many benefits, says Steve Hanna, senior principal, Infineon Technologies, but also brings a very real threat of cyberattacks that can harm innocent users.

Governments from the USA to the European Union and from the State of California to Singapore are creating IoT security regulations designed to keep us safe in this new, connected world (see Figure 1). But how can we distinguish the good regulations from the bad and the ugly, which will leave us all less secure?

IoT security regulation emerging worldwide

Governments are working hard to find the best solution for this problem. Some are imposing regulations that mandate appropriate security for any IoT device. Some are providing incentives for more secure IoT devices, such as “Secure IoT” labels or government purchases. But whatever the mechanism, certain common sense principles should apply.

Good regulation or bad?

Three fundamental tests distinguish good IoT security regulations from bad ones:

  • Is it risk-based? A smart chemical plant needs more security than a smart toy because the risk is greater if a malfunction should occur. Thus, a one-size-fits-all approach to IoT security regulations won’t work. The higher the risk, the greater the security needed.
  • Is the regulation dynamic? Cyber threats constantly change and regulators can be left playing ‘catch up’. If regulation is static with ‘hard-coded’ rules it will soon be obsolete. A better approach is for regulation to reference separate, more dynamic documents – for instance, standards developed and regularly updated by industry groups based on best practices.
  • Is there a motivation to comply? If companies have no motivation to comply, many will just not bother.

Now let’s look at regulations proposed or in place in various parts of the world and assess them against our scorecard (figure 2).

Scorecard assessment of existing and emerging regulations
  • The California IoT Security Bill, SB-327, was the first law of its kind in the US and came into effect on January 1, 2020. Manufacturers of IoT devices sold in the state are now required to equip each product with ‘a reasonable security feature or features’. Safe harbour terms say that devices meet this bar if they either include a unique pre-programmed password for remote access or require users to generate a new authentication means before first access.

Clearly SB-327 passes the motivation test – you cannot sell products in California unless you comply. However, it is neither risk-based nor dynamic. Indeed, it is arguably already obsolete as the use of passwords becomes superseded by cryptographic methods. There is also no mention of regular updates; one thing that everybody recognises as essential for IoT devices.

  • The IoT Cybersecurity Improvement Act of 2019 is a bill before the US Senate and House of Representatives that concerns IoT devices purchased by federal agencies. The bill requires the National Institute for Science and Technology (NIST) to provide recommendations for the US government on security for IoT devices and calls for co-ordinated disclosure of vulnerabilities. NIST is already working on a risk-based framework and companies must comply if they want to sell to the US government, so this legislation does well on all three test criteria.
  • The UK government recently issued the Code of Practice for Consumer IoT Security. This publication presents a list of 13 principles for consumer IoT security, such as unique passwords and secured communications. However, these principles are static and limit flexibility. Because the code is voluntary and therefore lacks motivation, few companies have adopted it, which supports the argument that voluntary compliance simply doesn’t work.

In the summer of 2019, the UK government consulted publicly on three options for mandating security requirements for consumer IoT devices:

  1. Requiring retailers to sell only consumer IoT products with an IoT security label, to be issued when manufacturers self-assess that they meet the top three principles in the code of practice mentioned earlier.
  2. The same requirement with no label
  3. Requiring devices to meet all 13 principles.

Although these proposals would add motivation to comply, the importance of risk-based analysis and dynamic regulation are still not addressed.

  1. In the EU, the Cybersecurity Act (CSA) came into force in June 2019 and includes the first EU-wide cybersecurity certification framework for ICT products, services and processes. The act will create multiple schemes for different categories and extends the mandate of ENISA, the EU Agency for Cybersecurity, to establish requirements for each security level. Although risk-based and dynamic, it is currently voluntary and so lacks motivation at the present time. In the future, the EU Commission or individual nations may decide to make certifications mandatory.
  2. Singapore’s Cybersecurity Act, on the other hand, addresses all three criteria quite well. Effective since March 2018, it creates a national Cyber Security Agency (CSA) empowered to establish codes of practice and standards of performance for owners of critical information infrastructure such as transport or energy. Obliging owners to protect their data and networks, it is risk-based and mandatory at the discretion of the CSA.

Where do we go from here?

Policymakers should ensure that any proposed IoT security regulations are risk-based, dynamic, and motivated. The differences between national standards in this area introduce complexity and the possibility of conflict. Thus international standards and norms will eventually be developed. However, IoT security is a relatively new field and things are changing fast. For now, international norms should be flexible and limited in scope.

Individuals and organisations deploying or building IoT systems must directly address the security risks of these systems, including indirect impacts that infected devices may cause. Thus, they have a duty to keep their systems in compliance with the latest security principles and regulations, including applying best practices for risk management and IoT security. In this respect, the industrial cybersecurity standard IEC 62443 and the IoT Security Foundation’s Best Practice Guide are excellent references.

At the same time, we should remain ready to adapt as threats evolve and be sure to watch for – and be involved in – the drafting of new regulations, commenting diligently on consultations wherever there is the possibility. Above all, we need to voice our opinions, both individually and collectively, to ensure we get regulation that works. Good regulation benefits us all while bad regulations can slow or stop the adoption of new and effective IoT security practices and even of the IoT itself.

The author is Steve Hanna, senior principal at Infineon Technologies

About the author

The author, Steve Hanna is a senior principal at Infineon Technologies. On a global basis, he is responsible for IoT security strategy and technology. Within the Trusted Computing Group, he co-chairs the Embedded Systems Work Group, IoT Sub Group, and Industrial Sub Group. He is a member of the Security Area Directorate in the Internet Engineering Task Force and co-chair of the Industrial IoT Security Work Group in the International Society of Automation.

Hanna has a deep background in information security, especially in software and systems. He is an inventor or co-inventor on 48 issued patents, the author of innumerable standards and white papers, and a regular speaker at industry events. Steve Hanna holds a Bachelor’s degree in Computer Science from Harvard University.

Comment on this article below or via Twitter: @IoTNow_OR @jcIoTnow

RECENT ARTICLES

Army’s new next generation squad weapon programme to launch ARC’s weapons intelligence platform

Posted on: August 12, 2022

Washington – Armaments Research Company, Inc, a technology and data company serving national security and public safety customers, announced their Internet-of-Things (IoT) full-stack technology will be introduced in the Next Generation Squad Weapon (NGSW) programme of record, in partnership with Sig Sauer. For the first time in 65 years, the U.S. Army’s initiative will replace

Read more

Connected logistics market to hit $47.6bn valuation by 2029 backed by MaaS for fleet management

Posted on: August 12, 2022

The global connected logistics market stands at a valuation of US$22.2 billion (€21.61 billion) in 2022 and is projected to reach $47.6 billion (€46.34 billion) by the end of 2029. Demand for connected logistics is estimated to increase at a compound annual growth rate (CAGR) of 11.5% over the forecast period (2022-2029).

Read more
FEATURED IoT STORIES

9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, home automation using iot is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more

5 challenges still facing the Internet of Things

Posted on: June 3, 2020

The Internet of Things (IoT) has quickly become a huge part of how people live, communicate and do business. All around the world, web-enabled devices are turning our world into a more switched-on place to live.

Read more

What is IoT?

Posted on: July 7, 2019

What is IoT Data as a new oil IoT connectivity What is IoT video So what’s IoT? The phrase ‘Internet of Things’ (IoT) is officially everywhere. It constantly shows up in my Google news feed, the weekend tech supplements are waxing lyrical about it and the volume of marketing emails I receive advertising ‘smart, connected

Read more
IoT Newsletter

Join the IoT Now online community for FREE, to receive: Exclusive offers for entry to all the IoT events that matter, round the world

Free access to a huge selection of the latest IoT analyst reports and industry whitepapers

The latest IoT news, as it breaks, to your inbox