IoT Security Standards and Regulations
A Holistic Approach to Security Standards
Establishing a Baseline to Build From
For now, at least, the laws, regulations and baseline requirements are changing the way we see security. For many, it is no longer an after-thought. It has moved to the top of the to-do list. For others, they act as an urgent reminder of the need to design-in security, and the risks to IoT companies of inaction. It is more costly to add protection in later than it is to build it in from the silicon up.
Increased government and industry interest have also taken us a step closer to establishing a baseline for security in all devices, from connected cameras to smart meters or connected sensors.
While each industry will have its own security requirements, having a program that encourages broad adherence is vital. If we return to the list of products that have been compromised in recent years, as discussed earlier in this article, it is important to note they all had common vulnerabilities and the attacks on them may have been avoided if good security principles had been applied. In this way, by setting and meeting baseline criteria, we are positioning IoT product developers for success and helping to build people's trust in the IoT.
This is what the laws, regulations and requirements have set out to achieve. Unfortunately, fragmentation in the market means that it is hard to know where to start with security when you are developing products for multiple regions and the requirements in each area differ.
Aligning Security Requirements
Different emerging approaches don't help businesses to view their device security holistically. PSA Certified adopts an approach that all connected devices need a 'minimum' set of security requirements, which are underpinned by a Root of Trust. This is why PSA Certified has analyzed the key requirements of leading standards, to establish a set of baseline security criteria that cover the most important ones. This enables you to use one document to demonstrate that you meet multiple cybersecurity baseline requirements and show that you have met regionally important regulations.
This security baseline is part of a comprehensive framework that includes a multi-level assurance scheme. The framework makes it quicker, easier and more cost-effective to design security into a device. Then, during the PSA Certified Level 1 evaluation, this security is assessed against best practice using a questionnaire that considers:
- 10 security goals that provide the basis for a security-by-design approach
- Alignment with security laws, requirements and regulations, including: NIST 8259A (IoT Device Cybersecurity Capability Core Baseline*), EN 303 645 (Cyber Security for Consumer Internet of Things: Baseline Requirements), California State Law (SB-327) and emerging regulations from the UK's Department for Digital, Culture, Media & Sport.
* The NIST 8259A document and PSA Certified provide bi-directional references to each other's documents.
PSA Certified brings together the most important cybersecurity baseline requirements in one document, simplifying the task of OEMs, including IoT application developers, in achieving security by design that builds on strong foundations. By achieving PSA Certified Level 1, you can assure your customers that your product meets baseline security criteria. Emerging guidance, laws, regulations and requirements are continually reviewed to ensure PSA Certified remains relevant and reduces the time to any market. We believe that by reaching this minimum set of recommendations, we can together prevent some of the most common vulnerabilities and prevent many potential IoT cyber incidents.
Governments and standards organizations are setting out security requirements to help ensure that as the number of connected devices grows, the risk to people’s privacy and welfare does not increase. As a result, product developers risk losing access to large and important markets if they fail to take security into account. As an industry, we have an important role to play in building people’s trust in the IoT, which is fundamental to the acceptance of new technologies. We have to use our combined expertise to lead new security initiatives and help shape emerging legislation and regulations.
With PSA Certified we are taking the first step but it is up to the wider ecosystem to lead the adoption, implementation and discussion around IoT security and to showcase best practice.