The State of IoT Security Standards and Regulations

New security measures are being introduced to protect our online lives. As more and more IoT devices come to market, we're exploring if these new cybersecurity baseline requirements can help win people's trust and protect our privacy and safety.

As the Internet of Things (IoT) has evolved, so too has our approach to security. A decade ago, product developers were focused on seizing the opportunities that connectivity offered instead of slowing down progress by building in complex security at the start of a project. As a result, basic security principles were often ignored during the design phase or implemented as an afterthought, leaving customers' devices and data vulnerable to hackers. In the years since then, some of these weaknesses in security have been exploited. Connected cameras, fish tanks, and smart locks have all been hacked, sometimes with serious and far-reaching consequences. The incidents have been reported in mainstream media, which has brought cybersecurity to people’s attention. It has also worried governments and standards organizations, who all realize the potential of the technology to deliver significant economic and social benefits but are concerned about having billions of easily hackable devices that may adversely affect citizens' lives, including implications to privacy and safety. They see a bigger picture too. In an increasingly connected world, a vulnerability in one device can bring down an entire system. For instance, a smart yet insecure CCTV camera can be recruited into a botnet of thousands of similar devices that not only affects the homeowner's or a business's privacy but also gives attackers a weapon. Why does that matter so much? In 2016, millions of IoT products were used to bring down the internet infrastructure and affected hugely popular websites in the USA and Europe in a distributed denial of service (DDoS) attack. At first glance, DDoS may not seem like a big deal, but the reality is that DDoS doesn't just take our favorite websites offline, it can also stop businesses from functioning and impact our critical infrastructure and services - the direct and indirect effects can be huge. As more individuals and organizations embrace the IoT, the same approach could be used to target hospitals or the companies that run our critical infrastructure and they could, for example, disrupt our healthcare system or our utility suppliers.


When asked where the liability would lie in a compromised device, 89% of respondents selected the chip, system software, or device, highlight the core components critical to IoT security.

Where Are We Now?

We take a look at the current standards and regulations around the world, the different approaches that are emerging and the commonalities between the requirements.

Share this page

The PSA Certified name, PSA Certified logos, PSA Functional API Certified logo featured on this website are registered trademarks or trademarks of Arm Limited (or its subsidiaries) in the US and/or elsewhere. All rights reserved. Other brands and names mentioned on this website may be the trademarks of their respective owners.

Copyright © 2021 Arm Limited (or its affiliates). All rights reserved.

Sign Up to Receive the Latest from PSA Certified