As the US Government Accountability Office warns, “internet-connected technologies can improve services, but face risks of cyberattacks.” The use of IoT devices and operational technology (OT) generates new attack surfaces that can expose an organization’s critical infrastructure to hackers and other threat actors.
Building access gadgets, badge readers, fuel usage and route monitors (for vehicle fleets), and apps that connect to the enterprise IT infrastructure create, among others, can be targeted by hackers to compromise not only the devices but the entire network. Worse, attacks on the IoT and OT systems used in power generating stations, production lines, medical facilities, and other critical infrastructure can result in serious or tragic outcomes including actual loss of lives.
Just like most other things that gain widespread use, regulation has started creeping into IoT products. With more than 13 billion IoT devices across the world, it is not surprising that efforts have been undertaken to ensure their security. Here’s a rundown of some notable legal and regulatory requirements imposed to ensure IoT and OT security.
IEC 62443 or the International Electrotechnical Commission standard 62443 is a series of standards created to counter cyber risks involving operational technology in automation and control systems. It lays out standards for different categories or roles, namely operators, service providers, and component/system manufacturers.
Introduced in 2021, IEC 62443 presents tasks and practices aimed at identifying cyber risks and determining the best defensive or counter-offensive measures. It requires organizations to create a cybersecurity management system (CSMS) that includes the following key elements: initial risk evaluation and prioritization, technical risk assessment, security policy formulation, countermeasure identification, and implementation, and CSMS maintenance.
IEC 62443 does not specifically target IoT devices, but two of its sub-standards are highly relevant to IoT and OT use. IEC 62443-4-1 and IEC 62443-4-2, in particular, require IoT product makers to ensure a secure product development lifecycle and have in place technical system components that guarantee secure user identification and authentication, product usage, system integrity, data confidentiality, data flow regulation, timely security event response, and resource availability.
Properly securing IoT devices is a complex and difficult process, given that it is not viable to install cyber protections for individual IoT devices. However, global security standards such as IEC 62443 compel manufacturers and others involved in the production, deployment, and use of IoT to play a role in addressing the risks and threats.
IoT Cybersecurity Improvement Act of 2020
The IoT Cybersecurity Improvement Act of 2020 is a law that mandates the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) to undertake steps that advance IoT security. It requires the NIST to formulate guidelines and standards to ensure the secure use and management of IoT devices in federal government offices and connected agencies. On the other hand, the law orders the OMB to review the IT security policies and principles of federal agencies in line with the standards and guidelines set by NIST.
The NIST has a website that presents the resources it has developed in response to the IoT security law. These resources include the NISTIR 8259, which provides security information and guidance for IoT manufacturers; the SP 800-213 series, which contains information for federal agencies, and information on IoT security for consumers.
While the requirements set by the IoT Cybersecurity Improvement Act of 2020 are only for federal offices or agencies, these are expected to pave the way for the adoption of similar IoT security measures in the private sector. After all, if IoT device makers are already creating secure products for their government clients, there is no reason for them not to adopt the same cyber protections for the products they sell to other customers.
EU IoT Cybersecurity legislation (proposed)
The European Union does not have its version of the US IoT cybersecurity law yet, but it already has one in the works. This proposed IoT security legislation is not a standalone bill but a part of the EU Cyber Resilience Act, the first law covering the entirety of the European Union to impose rules on device manufacturers.
Once the law is enacted, companies will be required to get mandatory certificates that serve as proof of their compliance. The legislation plans to impose heavy fines on IoT product makers that fail to meet the requirements or violate regulations. Offending companies can be fined up to €15 million or 2.5 percent of their turnover from the previous year.
The EU’s proposed IoT security law is notably broader in scope compared to what the United States currently has. The proposed legislation will provide the European Commission the authority to ban or recall non-compliant IoT products, regardless of whether they are being sold to the government or to private customers.
IoT security labeling program (proposed)
Nevertheless, the United States government plans to have an IoT security labeling program, which in a way expands the scope of its IoT security endeavor beyond the federal government offices. Set to be implemented in the spring of 2023, the program will provide information (through physical labels) regarding the security of IoT devices in the market. It aims to help buyers of IoT products make informed and better purchase decisions.
The proposed IoT security labeling program is comparable to the Energy Star labels, which provide consumers with information about the energy efficiency of appliances or electronic devices. It does not throw unsecure IoT products out of the market, but it makes them less acceptable to buyers.
There are no details yet as to the certification and labeling process. It is unclear if companies are allowed to self-certify or if they can refer to third-party certifying bodies. However, most industry players reportedly expressed support for the plan.
Other notable IoT security efforts
Other countries also acknowledge the importance of securing IoT devices. In Japan, for example, a law was passed to allow the government to hack into IoT devices used not only in government offices but in private establishments and homes. The government’s rationale: finding and addressing the security loopholes before threat actors do.
In China, the Ministry of Industry and Information Technology (MIIT) released guidelines for the establishment of a security standard for the internet of things. The standard includes guidance regarding software security, data security, and user access and authentication.
Singapore, on the other hand, already has an IoT cybersecurity labeling program that is recognized by Finland and Germany, which also have their respective labeling programs. The program is officially referred to as the Cybersecurity Labelling Scheme (CLS) for consumer smart devices.
The development of the IEC 62443 series of international cybersecurity standards and the implementation of related laws and regulations in different countries is a welcome development for IoT and operational technology security. IoT and embedded devices are more often than not ignored as cyber-attack surfaces. Organizations benefit from the regulations and legislated security requirements, as they are likely to disregard, downplay, or pay little attention to the increasing risks brought about by the expanding IoT ecosystem.