There has been widespread discussion and global engagement regarding the security of the Internet of Things (IoT). Various standards bodies, including NIST, ETSI, and ISO, have been formulating guidelines to enhance the security of interconnected devices, with some evolving into legislative measures. Governments are increasingly concerned by IoT security due to its widespread use across critical national infrastructure.
New cybersecurity initiatives driven by governments can pose challenges for organisations involved. These initiatives often lean towards regulation, reporting, bureaucratic procedures, and other elements that contribute to the requirements of IT operations. Naturally, they involve a period of effort-driven adoption that organisations need to plan for and navigate. But the rapid proliferation of IoT devices has meant that greater adoption of IoT security has been in the crosshairs of cybersecurity professionals for some time.
Three of the most significant IoT regulations coming this year, particularly for businesses operating in the UK, European and US markets are the PSTI Act, Cyber Resilience Act and the US Cyber Trust Mark, respectively.
Navigating regulatory frameworks in the UK
The UK’s Product Security and Telecommunications Infrastructure Act (PSTI) comes into effect on the 29th April 2024. This law applies to all consumer IoT products, including devices like connected home alarm systems, smart home assistants, smartphones, connected cameras, and white goods. It means that businesses in the supply chains of these products need to be compliant with the legislation by that date.
The relevant stakeholders for this legislation are consumer IoT device manufacturers, importers and distributors (meaning retailers selling these devices). The below requirements are aimed at manufacturers, but retailers of these devices have a duty to ensure the products they sell are compliant with this legislation. A Statement of Compliance may be one way that distributors are able to confirm devices are in line with law. Businesses will be unable to sell products without this and non-compliance could result in a penalty of up to £10,000,000 or 4% of a manufacturer’s global turnover, with additional daily penalties for continual non-compliance.
The three main security features of the legislation cover:
- Passwords: consumer IoT devices will not be allowed to have universal default passwords to help prevent mass hacks by cyber criminals.
- Information supplied by the manufacturer on how to report security issues: there must be a disclosure policy where manufacturers provide information on how to report security issues about their products as well as a timeline for when a resolution is expected.
- Declaration of software updates during the device’s lifespan: software updates are created and released to maintain the security of the device throughout its declared lifespan, in English and in accessible language.
Navigating regulatory frameworks in Europe
The EU Cyber Resilience Act (CRA) goes beyond the PSTI Act, by increasing the security of both software and the connected devices used by consumers and businesses. Market surveillance authorities in each EU member state will be responsible to fine non-compliant companies, up to a limit set within the act, and prohibit non-compliant devices from going to market.
When an IoT system breach occurs, it is unlikely that that organisation will be the only one affected, with repercussions felt across the supply chain. While manufacturers will likely be the entities most responsible for the majority of these requirements, the legislation takes a holistic approach to the supply chain, meaning this legislation applies also to distributors and importers.
The CRA aims to address two key elements — the first is ensuring a high level of security throughout the entire lifecycle of both hardware and software by enforcing a ‘secure by design’ approach with consistent and comprehensive provision of security updates as well as obligations to report incidents impacting the security of connected devices within 24 hours. Secondly, it gives consumers an active role in selecting products based on their cyber security level by requiring manufacturers to be transparent about the security features in place.
The legislation was accepted by policy makers late last year, marking the end of longstanding disagreements and negotiations. It is expected that the text will be formally adopted by Parliament and the European Council at some point this year. Once enacted into law, manufacturers, importers and distributors of hardware and software products will have 36 months to adapt to the new requirements, with the exception of a more limited 21-month grace period in relation to the reporting obligation of manufacturers for incidents and vulnerabilities.
Navigating IoT regulatory frameworks in US
To address concerns related to IoT security, the US government has recently unveiled the much-anticipated “Cyber Trust Mark.” As mentioned in President Biden’s executive order, this initiative introduces a comprehensive labelling programme that empowers consumers to make informed decisions regarding the security of their IoT devices. Similar to the nutrition labels found on food, the US Cyber Trust Mark aims to enhance consumer confidence in IoT products by offering clear and standardised security information.
More specifically, consumers will gain insight into the following elements of their IoT products:
- Manufacturer’s security commitment: Insight into the manufacturer’s cybersecurity track record, including their historical performance in addressing security incidents.
- Device security: Evaluation of the device’s security measures, covering encryption protocols, secure boot processes, and the consistent updating of firmware.
- Privacy Controls: Scrutiny of privacy controls and data management practices, providing details on data collection, utilisation methods, and mechanisms for controlling and sharing data.
- Vulnerability identification and patching: Assessment of the manufacturer’s strategy in identifying and resolving vulnerabilities, along with their responsiveness to releasing timely and effective security patches.
Securing the IoT future
As regulatory frameworks continue to evolve on both sides of the Atlantic, all businesses involved in the production and distribution of IoT devices that operate in these markets, must remain vigilant and conform to significantly more stringent regulation. From this year on, investing in an IoT security provider that can guarantee compliance will be the most effective way to continue to access the European and US markets, or risk a heavy financial penalty.
No longer will semiconductor and chip manufacturers bear the brunt of IoT security as the shared commitment to bolstering cybersecurity and empowering consumers signals a positive trajectory towards a safer and more resilient IoT ecosystem. Compliance with these regulations not only safeguards businesses from fines, but also fosters a culture of accountability and responsibility in the rapidly expanding world of interconnected devices.
The author, Dr. Shahram Mossayebi is the founder and CEO of Crypto Quantique — a provider of quantum proof hardware and software for the entire IoT supply chain.