Category: Infosec News

How new regulations could shape the future of the Internet of Things (IoT)


The IoT is here to stay. And it’s growing.

The IoT is predicted to grow to more than 64 billion devices by 2025, and as they become more integrated into our lives, we’re also giving them more access to our personal information.

But IoT’s increasing popularity means cybercriminals are designing attacks to specifically target its vulnerabilities.

Security concerns about IoT continue to grow, and so does the debate around the need for regulation.


Why regulate IoT?

IoT devices have access to a treasure trove of personal data, but it is well known these devices have security issues that make them vulnerable, such as weak default passwords and software flaws.

These devices are prime targets for hackers because they handle data about us, our homes and our businesses. They can even allow cybercriminals to enter a network and steal information or cause damage.

The Internet of Things…

The Internet of Things (IoT) is the network of connected devices that can collect and exchange data via an internet connection.

It is made up of billions of smart products that incorporate everyday devices, sensors and systems.


These products range from tiny sensors that track things like calories and humidity, to connected devices that span entire cities.

…and its devices

Security: cameras, doorbells

Energy: smart meters, smart plugs

Entertainment: televisions, games consoles

Appliances: coffee machines, refrigerators, ovens

Smart speakers: voice-controlled devices (eg Google Home, Alexa)

Vehicles: smart cars, charging points

Regulation will play an important role in imposing shared responsibility for IoT security on manufacturers, retailers and consumers. Defined rules and legislation will also help clarify where liability lies – a strong incentives for manufactures to increase security.

Few IoT devices are currently secure by design, but new laws have been proposed to better protect the data these connected devices handle.


IoT Code of Practice

The UK Government released its voluntary Code of Practice for Consumer IoT Security in 2018. It formed part of its Secure by Design report.

It sets out thirteen guidelines for manufacturers, service providers and retailers to ensure IoT devices are secure to use by design:

  1. Do not use default passwords

  2. Implement a vulnerability disclosure policy

  3. Keep software updated

  4. Securely store credentials and sensitive data

  5. Communicate securely

  6. Minimise exposed attack points

  7. Ensure software integrity

  1. Ensure that personal data is protected

  2. Make systems resilient to outages

  3. Monitor system telemetry data

  4. Make it easy for consumers to delete personal data

  5. Make installation and maintenance of devices easy

  6. Validate input data

The Government believes that everyone should benefit from connected technology safely, knowing security and privacy measures are in place.


Proposed new laws in the UK

The Government has also proposed new legislation to introduce a security labelling system. This will show customers how secure an IoT device is at the point of purchase.

To gain a security label, a device must:

  • Use unique passwords by default.

  • Clearly state how long security updates will be available.

  • Offer a public point of contact for cybersecurity vulnerabilities.

The new law could eventually bar retailers from selling IoT devices without security labels.

Global manufactures may, therefore, need to ensure their products meet UK standards before they can be sold here.


IoT regulation around the world

Europe

Industry standards for internet-enabled devices were recently issued by the European Telecommunications Standards Institute (ETSI) Technical Committee on Cyber-Security.

These standards are the first to apply to a range of devices globally and are based on the UK’s Code of Practice.

Some data handled by IoT devices is also covered by the General Data Protection Regulation (GDPR). It emphasises privacy by design and states that personal data must be handled securely. GDPR applies to the personal data of all EU residents.

USA

In 2018, California became the first American state to pass a law aimed specifically at manufacturers and retailers of IoT devices. Under the law, which comes into effect in 2020, every connected device in the state must be equipped with ‘reasonable’ security features, such as a unique password.

Japan

Japan recently launched a campaign to test 200 million devices by attempting to access them with default passwords.

Once the campaign is complete, the Japanese government will inform IoT providers of the issues and instruct them to fix the vulnerabilities.

Australia

Australia has proposed a certification for IoT devices to meet certain requirements.

The requirements include using non-default passwords, software updates to fix vulnerabilities and to not expose ports to the wider internet.


Conclusion

Legislation to protect IoT devices and the data they hold will help regulate aspects that were originally beyond user control.

But implementing effective regulation comes with many challenges. For regulation to be effective, it needs to be coordinated on an international scale – a process that is both complicated and time-consuming.

Legislation needs to cater for manufacturers, retailers and consumers. It must regulate and but also educate them about data security at every stage of an IoT device’s lifecycle.

Whether IoT will be managed by government legislation or industry self-regulation remains to be seen – it could even be both.

In the meantime, we must each do all we can to protect ourselves, our data and our devices.


We have created a free ‘Your Guide to the Internet of Things (IoT)’ eBook to help answer the many questions surrounding the subject.

Download your copy now to get up to speed on the IoT.


Insider sign up button

You might also like...


This website uses cookies, by continuing to use the site you agree to using cookies. Continue Privacy Policy