The growing number of IoT regulations may lead to boosted consumer confidence in connected devices, but manufacturers must figure out how to navigate local and global standards.
Even without regulations, IoT security has proven to be a daunting task because of the lack of an agreed-upon minimum security standard built into devices. As the number of IoT devices in use surges, so have the attacks targeting them. Governments and standards bodies have started to ensure the safety of end users and their data privacy as they grow confidence in IoT. Now, organizations must keep up with emerging cybersecurity legislation that varies based on location around the world.
Regulation at the U.S. national level is accelerating, said Michael Dow, senior product manager for IoT security at Silicon Labs, during a session at the company's Works With conference on Sept. 14.
Laws define what legally is required in IoT devices, but they often direct standards bodies to determine the functionality for each market, Dow said. Regulations ensure IoT products have suitable security measures, but manufacturers must also confirm that their products meet specific levels of security. Certification schemes and protection profiles give vendors a way to test the strength of their security measures and prove themselves to customers.
IoT organizations based in the U.S. must navigate regulations at the state, national and international levels.
State regulations lead IoT regulations
In the U.S., states often enact legislation separately from the national government. Certain states, such as California, have already passed legislation for IoT consumer products -- for instance, California's SB-327 and the California Consumer Privacy Act (CCPA), both of which went into effect in January 2020.
SB-327 mandates manufacturers give each device a unique preprogrammed password that users must change before accessing the device for the first time. The CCPA dictates how companies collect and protect consumer data. These IoT regulations require that manufacturers create devices that attackers can't hack.
"[State legislations] say pretty vague things like 'reasonable security features,'" Dow said. "But then they go on to define things more specifically, like designs to protect the device and any information contained therein from unauthorized access, disruption, use modification or disclosure."
Recent U.S. regulations emerge
Most national regulations in the U.S. affect organizations that work directly with the federal government, but many of these regulations will have effects that carry over into consumer markets.
The IoT Cybersecurity Improvement Act of 2020, passed in December, aimed to limit vulnerabilities in devices used by federal agencies. This will likely affect many consumer products, such as coffee makers, printers and building controls. The law calls on the National Institute of Standards and Technology (NIST) to establish the guidelines to ensure the secure development, configuration and management of IoT devices.
NIST Internal Report 8259D gave 270 requirements for the IoT Cybersecurity Improvement Act, Dow said. NISTIR 8259A addresses device identification in consumer products directly. IoT devices must be uniquely identified logically and physically with a secure identity in the silicon. Only authorized entities can change device configuration. Access to interfaces must be locked down, and organizations must also issue software and firmware updates securely.
The Cyber Shield Act, a bill reintroduced in March 2021, aims to regulate consumer IoT products directly with a labeling program that sets different benchmarks for IoT device security. Experts across industries, consumer groups, governmental agencies and the public will serve on an advisory committee to develop these requirements. The act will push manufacturers to certify their IoT devices to get the Cyber Shield label.
In May 2021, President Joe Biden issued an executive order to improve national cybersecurity. Although the order wasn't directed at IoT, a section of the order explicitly addresses the creation of pilot programs to educate the public on IoT security and establishing an IoT security labeling program. The order also prioritizes cybersecurity in the supply chain and zero-trust architecture.
International standards organizations build IoT requirement lists
Organizations that plan to offer their IoT products to a broader market outside of the U.S. must understand global standards, which are also still in development. Organizations that influence the market include the ISO, IoT Security Foundation, European Union Agency for Cybersecurity (ENISA) and European Telecommunications Standards Institute (ETSI).
ISO, a well-recognized global standards body, created ISO 27402. The document gives organizations basic IoT security practices to use as a baseline.
"ISO 27402 could eventually replace NIST standards because it has the opportunity to actually synchronize with the EU and what's happening there and maybe come up with a worldwide recognized requirements list for IoT products," Dow said.
ENISA, the cybersecurity regulatory body, picks the standards and certification schemes used in the European Union (EU). ETSI could be selected as the requirement list for consumer IoT devices in the EU, Dow said. The standard ETSI EN 303 645, backed by the U.K. government, provides a set of requirements to protect consumer devices against common security threats. These requirements include keeping software updated, storing credentials and data security, minimizing attack surfaces and ensuring software integrity. Australia, Singapore and Finland have already adopted it.
Certification schemes build consumer confidence in IoT
Regulations won't mean much if organizations don't prove that manufacturers meet the requirements. Certification schemes standardize how device security is tested and define what functions to target. Security professionals can tell a certification lab at what level they want to test the device. For example, the certification could test devices at these different levels:
- Level 1 is a self-assessment.
- Level 2 is a black box test in a lab where the lab tries to hack the device without any information.
- Level 3 is a white box test, but the organization gives the testers insider information.
- Levels 4 to 6 test the device with information about how the organization developed the IP and built the products.
Organizations may test their devices through certification schemes, including Common Criteria, Security Evaluation Standard for IoT Platforms (SESIP) and PSA Certified. Common Criteria, a well-known certification scheme, can take two or three years to pass a device through certification. SESIP was proposed as a lightweight version of Common Criteria to take six months or less. PSA Certified checks if an organization follows a secure architecture design for a microcontroller unit or neural processing unit.
But certification schemes do not mean products are secure.
"There's one loophole in certification schemes, which is that [the manufacturer] defines the security target for a product," Dow said. "A security target is really just a list of security functions, and you could put one security function on the list. […] It would look on paper like your product had a very high level of certification and security."
"There are a lot of ways to abuse self-assessments," he added.
Protection profiles could create a better security baseline
Protection profiles, also sometimes called security profiles, are security targets for device types that give a more individualized structure to building IoT security measures than certification schemes. The top four or more manufacturers of a particular product would decide what security functions are required or optional and create a generic protection profile for that type of device. Consumers could pick up a product, see the protection profile label and know that the device is secure, Dow said.
Michael DowSenior product manager for IoT security, Silicon Labs
Some use cases don't require as strict security as others, such as medical devices vs. a coffee maker.
"Having the right amount of security with a protection profile or security profile is a very important part of making this work for the consumer," Dow said.
Groups such as GlobalPlatform, Diabetes Technology Society and the ioXt Alliance have created protection profiles that don't have the certification scheme loophole.
A basic protection profile requires IoT devices to use no universal password, secure interfaces and proven cryptography verified software with different progressive levels of security requirements. There are optional levels, which give manufacturers a choice to meet the minimum security levels for a lower-cost product or reach higher security levels and advertise their product as being more secure. Protection profiles offer flexibility to adopt the right amount of security for a particular product.