Countries trying to regulate IoT environments security

April 08, 2021

For many IoT development teams, the cost/benefit ratio is not worth the effort required to implement security features in consumer products. Especially because, until now, consumers did not seem very willing to overpay for cybersecurity. But that is changing. Mainly because lawmakers are beginning to make security a legal requirement for consumer IoT projects.

In recent years, a number of items and appliances have been turned into connected devices. Every second, 127 new IoT devices are connected to the web, and experts predict that by 2025 that number will be greater than 75 billion connected devices in total.

From smart vacuum cleaners to digital assistants, it is easy to understand why the use of IoT technology has become so widespread. But the convenience they offer has been accompanied by a significant increase in security and privacy risks, both in the consumer market and in the corporate market.

According to Nokia’s latest “Threat Intelligence Report”, IoT devices are responsible for almost a third of all infections seen on mobile networks.

“In 2020, we saw a 100% increase in compromised IoT devices. If 2020 trends continue, 2021 will see a significant increase in attacks on IoT devices, ”said Kevin McNamee, former head of the Threat Intelligence Lab and now Nokia’s security product manager.

The most common IoT security risks include:

  • Weak, guessable, or hardcoded passwords
  • Insecure network services
  • Insecure ecosystem interfaces
  • Lack of secure update mechanisms
  • Use of insecure or outdated components
  • Insufficient privacy protection
  • Insecure data transfer and storage
  • Lack of device management
  • Insecure default settings
  • Lack of physical hardening

For each IoT environment (for example, smart homes, smart cities, smart cars or ICS/SCADA), a risk assessment must be carried out to determine the threats that can affect different assets, define plausible attack scenarios and place them in the context of the IoT service to find out which hazards are critical and which are not and which can be mitigated.

In addition to technical security measures, the adoption of IoT has raised many new legal, policy and regulatory challenges that amplify technical challenges. The rapid change in IoT technology has forced lawmakers to adapt to the ever-changing environment.

From a manufacturers perspective, it is critical to be aware of the dangers of IoT vulnerabilities and the options for mitigating those threats. Clearly, organizations need clear guidance to identify the appropriate security controls and allocate them to specific components of their system.

However, the lack of objective criteria has made it difficult to create standard methods for dealing with security problems. Something that the National Institute of Standards and Technology (NIST) of the United States sought to do, to subsidize the Internet of Things Cybersecurity Improvement Act of 2020 signed in December 2020 by then President Donald Trump.

The new American national standard determines the creation of minimum security standards and guidelines for the devices connected to the Internet purchased or used by the country’s federal government. Since the end of 2020, US federal agencies have been obliged to purchase only devices that comply with the minimum safety requirements established by these initiatives.

Despite dealing with information security for the federal government, NIST expects the private sector to adopt the new rules as well. Cybersecurity and IoT experts also believe that the guidelines established by NIST will provide manufacturers with a general roadmap on how to enforce IoT protection measures.

“While there is still a lot of work to be done to protect the IoT ecosystem, this latest bill should be applauded, as it brings the topic of IoT security to the forefront of the agenda of federal organizations, technology manufacturers and consumers,” argues Erez Yalon, head of security research at Checkmarx.

“Using its purchasing power, the federal government can encourage the broader IoT ecosystem to ensure the cybersecurity of its devices and the responsible and coordinated disclosure of vulnerability information,” argues Trevor Rudolph, vice president of global digital policy and regulation from Schneider Electric.

“This legislation should be seen as a positive step in the right direction, but it really is just one step, with the next being a complete legislation for all companies, public or private,” says Curtis Simpson, director of information security at Armis.

European regulators are also more attentive

In addition to the USA, Europe has a basic cybersecurity standard for consumer IoT devices, which was launched by the European Telecommunications Standards Institute in June 2020, as well as guidelines from the European Union Agency for Cybersecurity (ENISA) for protecting supply chain processes used to develop IoT products.

On December 16 of last year, the European Commission published the new European Union Strategy for Cybersecurity for the Next Decade. Although the text does not deal exclusively with IoT, a significant impact on these devices is expected.

Bloc officials believe that creating cybersecurity standards on connected devices is one way to protect personal and government information in times of increasing connectivity.

The strategy covers three areas: resilience, technological sovereignty and leadership; strengthening of the operational capacity to prevent, deter and react; and promoting open cyberspace on a global scale through greater cooperation.

In addition to the general rules, member countries have autonomy to act at the national level. For example, in December 2020, Germany proposed its own IT Security Act 2.0. If approved, the new text aims to guarantee cyber and information security, especially with the growing risks brought by the Internet of Things.

Outside the bloc, the UK government intends to create new rules for manufacturers of IoT devices with the aim of increasing the security of consumer data. If approved, the standards will establish minimum protection requirements for smart devices.

The proposal, which was in public consultation until September last year, has three main points: the passwords for the connected devices must be unique to each machine, consumers must be informed, at the time of purchase, of the minimum period in which the device will receive security updates, and manufacturers should provide means for customers to report vulnerabilities in safeguarding the device.

Other initiatives

In 2019, the Cloud Security Alliance (CSA) published its “IoT Security Controls Framework”, which proposes entry-level security controls necessary to mitigate many of the risks associated with an IoT system operating in a variety of threat environments.

This framework, along with the accompanying guide, provides organizations with the context in which to evaluate and implement an enterprise IoT system that incorporates various types of connected devices, cloud services and network technologies. But while the framework helps users to identify the appropriate security controls and allocate them to specific components in their IoT system, the guide is of little use to end users, with little or no technical knowledge.

End users must also demand more security measures from companies that sell these devices. This will create a ripple effect, triggering proactive actions by manufacturers and suppliers to address IoT security concerns holistically from the start, with a comprehensive set of guidelines needed to protect the manufacture, distribution and deployment of IoT devices. Only through this domino effect does IoT security go beyond governments and into our own homes and business environments.