IoT Security Standards and Regulations: Where Are We Now?

David Maidment -
Illustration: © IoT For All

The regulatory landscape for IoT is evolving rapidly as governments seek to mitigate growing cyber risk and protect not only consumers but societies and economies at large. We are certainly moving in the right direction. Still, with a myriad of standards, regulations, and baseline requirements being introduced to mandate enhanced security across the IoT value chain, there is still some confusion across the ecosystem.

Stakeholders are working towards a more secure connected future. Still, the regulatory picture remains complex without a single source setting out recommendations and specifications that can be applied globally.

So, while we may have come a long way, the need to demystify and defragment the regulatory landscape in a common language and provide a common framework around IoT security is critical to unlocking its potential.

Current Laws and Regulations

On average, there are 5,200 attacks per month on IoT devices, with 7 million data records compromised daily. In 2019, governments started regulating the Internet of Things to mitigate growing cyber risk, especially network and device security. Since then, the IoT regulatory environment has matured at a considerable pace.

Today, the challenge lies in understanding which regulations apply and whether IoT regulatory compliance is enough to provide adequate security. With IoT regulatory requirements and standards changing vastly by geography, the complexities faced in designing, manufacturing, and implementing connected devices cannot be underestimated.

Worldwide, standards organizations guide best practices and ‘baseline’ or ‘core’ requirements for IoT security. In many parts of the world, governments are exploring a firmer, regulatory approach. For example, in California, a law requires manufacturers to implement ‘reasonable security features’ such as having unique passwords per device if they want to sell to consumers in that market. More recently, the US presidency introduced the Executive Order on Improving the Nation’s Cybersecurity to push IoT device companies and software providers to adopt security standards and labeling requirements.

In June 2020, the EU introduced a cybersecurity standard for consumer IoT (ETSI EN 303 645 V2.1.1) products. With intentions of driving better security practices and the adoption of security-by-design principles in new connected consumer product development, the standard consists of 13 provisions, including no universal default passwords.

In the UK, the Department of Culture, Media and Sport (DCMS) announced new proposals to protect users of internet-connected household devices from the threat of cyberattacks. The positive move followed the government’s voluntary Secure by Design Code of Practice for consumer IoT security, helping set the standard for security in the industry and outline manufacturers’ expectations. The approach is based on three security requirements – banning universal default passwords, implementing a means to manage reports of vulnerabilities, and providing transparency on how long the product will receive security updates.

While helping to ensure more robust security, these differing standards are just the tip of the regulatory iceberg around IoT. They are an excellent example of the industry’s confusion, especially for companies without a wealth of security expertise at their disposal. In our 2021 PSA Security Report, 48 percent of respondents considered the fragmentation of standards and regulations the most significant challenge concerning IoT security.

Establishing a Baseline to Defragment the Industry

The good news is that the laws, regulations, and baseline requirements and standards are changing the way we see security – for the better. It is no longer an after-thought; it’s moved to the top of the to-do list. For others, they act as an urgent reminder of the need to design-in security and the risks to IoT companies of inaction. It is more costly to add protection later than build it from the silicon up.

Increased government and industry interest have also taken us a step closer to establishing a baseline for security in all devices, from connected cameras to smart meters or connected sensors. While each industry and geography will have its own security requirements, it is vital to have a program that encourages broad adherence and a common language in the growing ecosystem. One of the most scalable things you can do is embrace a secure-by-design approach that puts a Root of Trust at the foundation of IoT security. This establishes an important foundation of security from the outset and helps manufacturers build trust in IoT.

With no one size fits all solution to protect IoT deployment, cross-industry collaboration will be key in establishing best practices and building a common foundation for security. But even more critically, we need to equip manufacturers to develop devices that work cohesively on different platforms and territories. Fragmented emerging approaches don’t help businesses to view their device security holistically. So moving away from a siloed approach to hardware security, building on a Root of Trust, and leveraging certifications that guarantee adherence to global and regional standards will be essential to scaling the deployment of devices.

Simplifying Security for IoT

We’ve reached a critical inflection point for cybersecurity efforts. In today’s connected world, there is a lot at stake for users, manufacturers, and society as a whole, and regulatory bodies worldwide are responding. New enforceable standards, while complex, are helping to create new frameworks for a more secure IoT. They could be just what the ecosystem needs to come together and forge a more trusted, connected future.

David Maidment - Senior Director Secure Device Ecosystem, Arm (a PSA Certified co-founder), PSA Certified

Guest Writer
Guest Writer
Guest writers are IoT experts and enthusiasts interested in sharing their insights with the IoT industry through IoT For All.
Guest writers are IoT experts and enthusiasts interested in sharing their insights with the IoT industry through IoT For All.