Understanding Global IoT Security Regulations

The IoT is maturing rapidly, and surveys show that global IoT spending will achieve a combined annual growth rate (CAGR) of 11.3% over the 2020-2024 forecast period. It offers promising benefits that are rapidly transforming a variety of industries, including manufacturing, health care, commercial buildings, smart homes, retail and energy.

The huge potential of IoT is becoming a reality, but as adoption accelerates, regulatory bodies and government organizations are realizing the dangers and risks of connected devices if they are not built with proper security in mind—and, in response, are issuing regulations in a variety of forms. They may be specific security mandates, backed by the purchasing power of governments and industry groups, or they may be presented as more voluntary, general guidance on best practices for IoT vendors and end users.

Here is a brief update on some of the latest global standards and their implications for today’s manufacturers.

Best Practices and Labelling in Asia and the South Pacific

In Asia and the South Pacific, several countries have developed security recommendations and best practices for IoT manufacturers, as well as the organizations that use them.

Australia has created a voluntary IoT cybersecurity code of practice, featuring more than a dozen principles for all IoT devices that connect to the internet to send and receive data. The code focuses on strong passwords, multifactor authentication and secure storing of credentials. It recommends that organizations set up a vulnerability disclosure policy and designate a point of contact for issues that arise.

Singapore has taken aggressive steps as well, issuing an IoT Cyber Security Guide intended to offer enterprise users and their vendors better guidance on deploying IoT technology, including fundamental security design principles. Singapore also has a suite of IoT standards published as technical references for IoT and sensor networks to address the absence of any coherent sensor networks or IoT standards, with a focus on interface interoperability. Companies in the region are establishing a security labelling initiative for smart home devices to better inform consumers.

New Regulations in Europe and the UK

Several governments in the EU and the UK are focusing on standards around IoT devices.

For example, the UK’s Department for Digital, Culture, Media and Sport (DCMS) regulations ensure all IoT devices are secure and protected. For example, all passwords for devices must be unique and may not be reset to default factory settings. The regulations also instruct manufacturers to publicly provide contact details to report vulnerabilities.

Like Singapore, the European Commission, which is in charge of handling the EU’s day-to-day affairs, is also considering the creation of an IoT “Trust Label” intended to strengthen end-to-end personal data protection in IoT environments.

Brazil Takes Free Market Approach

Brazil is applying a variety of tax reforms and other incentives to drive IoT solutions. Law 14.108/2020 , which recently took effect, reduces installation and operation inspection and licensing fees of machine to machine (M2M) communication systems to zero. Intended to spur growth and facilitate development of the region’s Industry 4.0 ecosystems, the law also promises to jump-start secondary industries—including security solutions to address privacy concerns.

United States Delivers Top-Down Leadership

The main development in the U.S. has been the IoT Cybersecurity Improvement Act. Signed into law in 2020, the legislation is intended to incentivize companies to secure the devices they build and sell. The new law requires the National Institute of Standards and Technology (NIST) to create a new set of guidelines for development, patching, identity and configuration management for IoT devices.

Like private industries, federal agencies are deploying a variety of IoT use cases. The law requires them to review procurement practices and take steps to better understand how they are using IoT within their organizations—and consider the risks associated with their specific applications. The law also instructs them to apply leading industry best practices, policies and procedures throughout the procurement process for IoT products and technologies.

IoT Security Requires a Consistent Approach

Although every country and region brings its own unique priorities to its IoT standards, the very nature of IoT use cases requires that they maintain a high level of commonality. The IoT is defined by smooth, secure connectivity, making it challenging for device manufacturers to keep pace with market needs while still complying with multiple government and industry standards.

As IoT adoption increases rapidly, some industry organizations are taking proactive steps to ensure that the standards their stakeholders are creating are not wildly different. For example, the International Medical Device Regulators Forum (IMDRF) has established a voluntary forum that brings together device regulators from around the world. Together, they are collaborating on a strategic plan to accelerate international medical device regulatory harmonization and convergence. The document presents key strategic priorities, and includes cybersecurity, data integrity and data security among the industry’s top regulatory challenges.

The IMDRF is an excellent example of how industry stakeholders can come together to agree on principles for IoT regulation.

A Common Foundation for IoT Security and Trust

The transformative advantage of IoT is its ability to harness vast amounts of data and apply it in more meaningful ways. To maintain its integrity, data and connections must be managed in a secure way, every step of the way. For example, IoT devices must connect to everything from middleware to gateways, applications and other types of services and devices—and properly authenticate at each step.

Once acquired, data from the factory floor, vehicle sensors, health care monitors, home thermostats and countless other devices must be kept confidential at all times. When it’s time to update IoT devices, the required firmware packets must be signed to ensure their integrity.

Every industry standard addresses these types of requirements to address common challenges in IoT, and they need to be included in any standard.

Public key infrastructure (PKI) technology can play a key role in ensuring that an organization’s devices and users are safely authenticated—and provide strong protection for the data they share, whether it is in transit or at rest.

The good news is that manufacturers don’t have to wait to apply it to their IoT solutions. PKI has long been a fundamental standard for ensuring Internet security and has been broadly adopted across a wide range of industries. For IoT innovators, it checks all the boxes required to ensure a high level of trust and security. PKI is also highly flexible, which is critical to supporting many different industry-specific use cases and environments.

As new IoT regulations become effective, technology manufacturers and users will need to ensure that their best practices and processes are safe and secure. By doing the right thing to protect devices today, organizations can be sure that they are already addressing the vulnerabilities that will be part of the very latest regulatory guidance.

Avatar photo

Mike Nelson

Mike Nelson is the VP of IoT Security at DigiCert, a global leader in digital security. In this role, Nelson oversees the company’s strategic market development for the various critical infrastructure industries securing highly sensitive networks and Internet of Things (IoT) devices, including healthcare, transportation, industrial operations, and smart grid and smart city implementations. Nelson frequently consults with organizations, contributes to media reports, participates in industry standards bodies, and speaks at industry conferences about how technology can be used to improve cyber security for critical systems and the people who rely upon them. Nelson has spent his career in healthcare IT including time at the US Department of Health and Human Services, GE Healthcare, and Leavitt Partners – a boutique healthcare consulting firm. Nelson’s passion for the industry stems from his personal experience as a type 1 diabetic and his use of connected technology in his treatment.

mike-nelson has 18 posts and counting.See all posts by mike-nelson