Blogs

Saving us from demented smart things

April 27, 2020

Posted by: Anasia D'mello

Steve Hanna of Infineon Technologies

The Good, the Bad and the Ugly of IoT security regulations

From smart cars to smart factories, the Internet of Things (IoT) is transforming every aspect of modern life. Deployment of smart, connected devices delivers many benefits, says Steve Hanna, senior principal, Infineon Technologies, but also brings a very real threat of cyberattacks that can harm innocent users.

Governments from the USA to the European Union and from the State of California to Singapore are creating IoT security regulations designed to keep us safe in this new, connected world (see Figure 1). But how can we distinguish the good regulations from the bad and the ugly, which will leave us all less secure?

IoT security regulation emerging worldwide

Governments are working hard to find the best solution for this problem. Some are imposing regulations that mandate appropriate security for any IoT device. Some are providing incentives for more secure IoT devices, such as “Secure IoT” labels or government purchases. But whatever the mechanism, certain common sense principles should apply.

Good regulation or bad?

Three fundamental tests distinguish good IoT security regulations from bad ones:

Now let’s look at regulations proposed or in place in various parts of the world and assess them against our scorecard (figure 2).

Scorecard assessment of existing and emerging regulations

Clearly SB-327 passes the motivation test – you cannot sell products in California unless you comply. However, it is neither risk-based nor dynamic. Indeed, it is arguably already obsolete as the use of passwords becomes superseded by cryptographic methods. There is also no mention of regular updates; one thing that everybody recognises as essential for IoT devices.

In the summer of 2019, the UK government consulted publicly on three options for mandating security requirements for consumer IoT devices:

  1. Requiring retailers to sell only consumer IoT products with an IoT security label, to be issued when manufacturers self-assess that they meet the top three principles in the code of practice mentioned earlier.
  2. The same requirement with no label
  3. Requiring devices to meet all 13 principles.

Although these proposals would add motivation to comply, the importance of risk-based analysis and dynamic regulation are still not addressed.

  1. In the EU, the Cybersecurity Act (CSA) came into force in June 2019 and includes the first EU-wide cybersecurity certification framework for ICT products, services and processes. The act will create multiple schemes for different categories and extends the mandate of ENISA, the EU Agency for Cybersecurity, to establish requirements for each security level. Although risk-based and dynamic, it is currently voluntary and so lacks motivation at the present time. In the future, the EU Commission or individual nations may decide to make certifications mandatory.
  2. Singapore’s Cybersecurity Act, on the other hand, addresses all three criteria quite well. Effective since March 2018, it creates a national Cyber Security Agency (CSA) empowered to establish codes of practice and standards of performance for owners of critical information infrastructure such as transport or energy. Obliging owners to protect their data and networks, it is risk-based and mandatory at the discretion of the CSA.

Where do we go from here?

Policymakers should ensure that any proposed IoT security regulations are risk-based, dynamic, and motivated. The differences between national standards in this area introduce complexity and the possibility of conflict. Thus international standards and norms will eventually be developed. However, IoT security is a relatively new field and things are changing fast. For now, international norms should be flexible and limited in scope.

Individuals and organisations deploying or building IoT systems must directly address the security risks of these systems, including indirect impacts that infected devices may cause. Thus, they have a duty to keep their systems in compliance with the latest security principles and regulations, including applying best practices for risk management and IoT security. In this respect, the industrial cybersecurity standard IEC 62443 and the IoT Security Foundation’s Best Practice Guide are excellent references.

At the same time, we should remain ready to adapt as threats evolve and be sure to watch for – and be involved in – the drafting of new regulations, commenting diligently on consultations wherever there is the possibility. Above all, we need to voice our opinions, both individually and collectively, to ensure we get regulation that works. Good regulation benefits us all while bad regulations can slow or stop the adoption of new and effective IoT security practices and even of the IoT itself.

The author is Steve Hanna, senior principal at Infineon Technologies

About the author

The author, Steve Hanna is a senior principal at Infineon Technologies. On a global basis, he is responsible for IoT security strategy and technology. Within the Trusted Computing Group, he co-chairs the Embedded Systems Work Group, IoT Sub Group, and Industrial Sub Group. He is a member of the Security Area Directorate in the Internet Engineering Task Force and co-chair of the Industrial IoT Security Work Group in the International Society of Automation.

Hanna has a deep background in information security, especially in software and systems. He is an inventor or co-inventor on 48 issued patents, the author of innumerable standards and white papers, and a regular speaker at industry events. Steve Hanna holds a Bachelor’s degree in Computer Science from Harvard University.

Comment on this article below or via Twitter@IoTGN