IoT Security Standards and Regulations
Where Are We Now?
If we are to deliver on the promise of the IoT we have to build trust in the devices and in the data they generate so we can enable digital transformation in our homes, our businesses and across industries.
Security laws, regulations and baseline requirements are being introduced to ensure growth does not come at consumers’ expense. They vary between regions and countries and differ in their approach. Some ask designers, developers and manufacturers to follow best practice while others insist on compliance.
Cybersecurity Baseline Requirements and Best Practice
In several regions, standards organizations are providing guidance on best practice and on ‘baseline’ or ‘core’ requirements.
Laws and Regulations
In some countries, and in two US states, governments are taking a firmer approach. In California, for example, a new law requires manufacturers to implement ‘reasonable security features' such as having unique passwords per device, if they want to sell to consumers in that market.
While in the UK, the Government Department of Culture, Media and Sport (DCMS) has produced proposals to help set the standard for security in the industry and outline what is expected of manufacturers. The approach is based on three security requirements - banning universal default passwords, implementing a means to manage reports of vulnerabilities and providing transparency on how long the product will receive security updates. Matt Warman MP, Minister for Digital and Broadband, states in a ministerial foreword “… I announced the government's intention to bring in legislation to ensure stronger security is built into consumer smart products. Since then we have continued to work at pace, collaborating with industry leaders and cybersecurity experts, to deliver world-leading legislation in this space."
There are varying regulations, guidelines, recommendations and specifications coming from different standards bodies across the world.
Click on the icons to explore the current landscape.
Implementing Security in an IoT Device
In all cases, the requirements, whether legally binding or not, relate to fundamental protection measures such as the need for unique passwords, so they are not difficult to adhere to in isolation. However, they raise some interesting questions when they are considered in their entirety...
What requirements do I have to meet to ship my products globally?
How do I keep up with changes to requirements around the world?
How can I demonstrate that I've followed best practice or complied with legislation?
The questions highlight the challenges we face as we look for ways to build a more secure IoT. As yet, there is no global solution and analyzing the regional laws, regulations and baseline requirements to ensure you are implementing the right measures can be difficult and time-consuming.
Still, the action taken by governments and standards organizations has been welcomed by many who acknowledge the current insecurity of the IoT. Although some commentators point out there are important details that still need to be addressed. For example, in the UK and US, questions have been raised about the enforcement of regulations.
In Finland, product developers must label their devices. In the UK, the Government received mixed responses when it included a question about labeling in its consultation over proposed regulations. Most, it says, ‘agreed to some extent’ with the concept but there were concerns about the impact of negative labeling on innovation and on its potential to create barriers to market. Some are also asking what labeling achieves as it only tells a consumer that a product was secure when it left the factory. What happens after that?