Regulation will change how devices are designed, deployed and managed in life and is one of the factors behind our IoT Security Management Framework and its Defend, Detect and React provisions. It is driving a sharper focus on IoT Security for OEMs, Solution Providers and Enterprises and with that in mind, we are pleased to introduce David Rogers, CEO of Copper Horse as a guest blogger. He has been very influential to the standardisation and regulation process in the UK but you will see almost identical processes in EU and US.
The start of IoT security regulation
Internet of Things (IoT) security has been on the mind of government officials across the world for some time now. The vulnerability of the Internet of Things was identified in the UK’s National Cyber Security Strategy in 2016, which stated that ‘The ‘Internet of Things’ creates new opportunities for exploitation and increases the potential impact of attacks which have the potential to cause physical damage, injury to persons and, in a worst case scenario, death’. The UK delivered on its strategy with a Code of Practice for Consumer IoT Security published in 2018. This contained 13 outcome-focused guidelines which dealt with product security design issues and best practices for manufacturers and IoT solution providers. These were then taken to the European Telecommunications Standards Institute (ETSI) and together with the industry and government members there taken forward and standardised, eventually becoming a European Norm, ETSI EN 303 645. This was accompanied by a Conformance Assessment specification ETSI TS 103 701.
The work has seen widespread adoption across the world, from Finland to Singapore, from Australia to India. This of course is a great thing for overall cyber security – a common baseline to work to and crucially a common understanding of what good looks like. This prevents needless fragmentation which in turn creates economic cost and insecurity as manufacturers implement different requirements around the world. There are other standards that have been developed subsequently such as the US NIST 8259 family and those from specific countries across the world. Broadly these address the same areas and there is clearly a spirit of alignment.
The IoT security mapping site from Copper Horse, developed on behalf of the UK government maps these different requirements and emerging standards in order to assist in the understanding of where fragmentation exists and where there is common alignment. The information is available as open data so companies can download and use it in their own product development processes.
Conformance and ‘Certification’
With standards comes compliance and conformance. The current indicators from the UK, Europe and the US is that self-declaration mechanisms will be used – that is products will be expected to meet the standards defined. Some test labs in Europe such as TÜV SÜD already offer testing to the European standard in the expectation that this will be also adopted Europe-wide through the new Cyber Resilience Act (CRA). While this testing may result in a certificate, it is important to explain what that means. The 13 requirements of ETSI EN 303 645 are ‘secure by design’ oriented. This means that the approach to a product’s security is the main thing, not, say the absence of specific vulnerabilities and certainly not a statement that the product is 100% secure. This reflects the fact that the space is always moving. We can however say things that we don’t want in product (default passwords being the clearest example), good practices such as a business adopting vulnerability disclosure processes to enable a clear reporting and resolution route for security vulnerabilities discovered and reported to IoT manufacturers. We also want a product to have the ability to receive security updates, to be securely communicating and for all the related keys and data to be processed and stored securely with hardware-backed security foundations.
Labelling
Some countries have investigated labelling schemes. The UK explored this and put it to public consultation – which led them to not implement a labelling scheme. There have been a number of advocates of digital or ‘live’ labelling, particularly in the USA. This might take the form of a QR code linked to the product, but ultimately is an online database of information giving the state of a product’s security at any point in time. This looks like a very progressive step forward and opens up many interesting future possibilities with regard to the way that products can be checked as to their current state – for example what the current level of security update is against whether the current device is patched to that state. It will move the world away from static product labelling and certification.
Legislation and Regulation
The UK passed the Product Security and Telecommunications (PSTI) Act in December 2022, with further draft regulations for the product security part being published in April 2023. This work has seen referencing and adoption into other spaces such as the security schedule of The Electric Vehicles (Smart Charge Points) Regulations 2021 which came into force in December 2022. Both Smart EV and PSTI will be regulated by the Office for Product Safety and Security (OPSS). Additionally, the Code of Practice of the UK’s Telecommunications Security Act 2021 references the requirements outlined in the PSTI Act demonstrating a joined-up approach to overall cyber security and the symbiotic security relationships that exist. In the future these common baseline requirements could easily be extended to other sectors – they suffer common problems.
As stated above, numerous countries and regions are likely to mandate that connected products are securely made and operated, so the clock is ticking for manufacturers. The UK has stated that it will regulate from the 29th of April 2024, so connected consumer products such as routers, webcams, fridges and yes, toasters, will all have to be produced in a compliant way by that date or be prevented from being sold in the country. An online countdown can be found at: https://www.iotsecurity.uk/.
Enhanced IoT Security will become a legal requirement for IoT devices used by consumers and a procurement requirement for Enterprises. To assist businesses make this transition, Wireless Logic has published an IoT Security Management Framework. Our framework addresses the security through an IoT Connectivity lens although it not limited to that and compliments other leading standards (ETSI EN 303 645) and frameworks (NIST, IoTSF). It is our way of talking about IoT security and helps our customers be compliant, implement people and process changes (training and policies) and to assess their capacity for risk based on data sensitivity and the economics of their solution. It also positions the relevant Wireless Logic product and services which provide additional security benefits at the device, network and applications levels.
Visit our IoT Security page to learn more about our Defend, Detect and React security provisions and how a 360 degree framework approach is needed to minimise IoT security risk.
