New IoT legislation requires greater commitment to security, writes Iain Davidson, pictured, Senior Product Manager at the IoT product company Wireless Logic.
According to IDC’s latest Worldwide Internet of Things Spending Guide, IoT spending is set to reach almost $345 billion by 2027. The fastest adoption will be seen across use cases such as irrigation management in the resources industry and fleet management in transport. As the scale and complexity of IoT systems continues to grow, the attack surface for bad actors also increases. Meaning the need for IoT cyber security is becoming ever more important.
As IoT cybersecurity gains more attention, legislation is expected to increase in size and scope. The pace of introduction and compliance requirements vary from one region to another. However, we can look to industry standards to set a benchmark. Manufacturers can equip their devices against cyberattacks, and at the same time get ahead of the compliance requirements of procurement organisations, by building security into their IoT products now.
There are already standards and legislation in place that providers can look to when developing solu-tions. Standards like ETSI EN 303 645, IEC 62443 4-2, and ISO/SAE 21434 have already established a base-line for IoT security. Solutions can take a lead from these standards to meet cybersecurity challenges by, for example, allocating unique device identities, keeping security credentials private, authenticating de-vices on networks, keeping software up-to-date, reporting anomalies and threats, and quarantining affected devices.
Additionally, the UK’s Product Security and Telecommunications Infrastructure (PSTI) Act, the EU’s Cyber Resilience Act, and the USA’s IoT Cybersecurity Improvement Act (for devices used by US federal government) are all pre-existing legislation to which solution providers should take into consideration. It’s also important to note that providers need to be aware of standards and legislation globally, especially if their products have international reach.
Looking to the future of IoT security
According to a SonicWall report there were 57 million IoT malware attacks in the first half of 2022. Clearly, the IoT faces very real security threats, despite this 43 percent of businesses don’t fully protect their full suite. While this may not be an active decision, factors such as a lack of staff or specific IoT secu-rity expertise and difficulty finding a suitable solution, may be the cause. All connected devices, systems and networks face cyberthreats, which are becoming more advanced all the time. The only way to mitigate this is to build security into every stage of product and process design, as well as ensuring the staff involved are properly trained on cyber risks.
To help combat cybersecurity threats amongst IoT devices, a new piece of legislation will come into effect in 2024. The PSTI (Product Security) regime, will regulate consumer products such as routers, webcams and connected fridges. Impacted products must be free of default passwords, have a vulnerability disclo-sure policy and be transparent about update support periods.
The role of device manufacturers
In order to truly secure IoT devices, security must be a top priority at every stage. Device manufacturers have a vital role to play in IoT security, and the most important thing they can do is act now. It won’t be long before organisations mandate cybersecurity compliance for the devices they procure, if they aren’t doing so already. Indeed, IoT security acquisition guidance from the US’ Cybersecurity and Infrastructure Security Agency (CISA) identifies that buyers adopting a security stance, “send a demand signal for improved cybersecurity in IoT technologies to sellers and manufacturers of IoT technology.”
Challenges of legislation implementation
The World Economic Forum’s report on the ‘State of the Connected World’, acknowledges that policies relating to the security of connected devices are “fragmented by region.” This strikes at the heart of the IoT security challenge. IoT deployments are often international, global even. De-vice manufacturers and solutions providers may find they have a range of existing and pending legislation to take account of.
The governance gaps called out by WEF will undoubtedly close. However, one thing is clear, even where legislative impact is still uncertain, the direction of travel is to more, and more stringent, IoT cybersecurity policies. Another challenge for industry is that the frequency of attacks and methods used by cyber criminals are constantly evolving, therefore defences against those attacks need to evolve as well. While it is possible to certify that a standard has been met, this alone will not provide a guarantee that attacks will not be successful.
Companies should implement defensive measures, but also prepare and practise for a security breach. Using automation (AI) to help detect changes in device or system behaviour is also a great technique, while training people and processes on how they should react to such breaches is also essential. The damage to revenue and reputation will be directly proportional to the time it takes to detect and react to cyber-attacks which get through the defences.
Defend, detect, react, rehearse!
Companies must secure their solutions end-to-end. This means taking a more holistic and proactive approach, one that encompasses processes and people – including those of suppliers – as well as technology. After all, ransomware and malware attacks often target individuals within organisations. These can find their mark if employees aren’t adequately trained in what to look out for and how to raise an alarm.
Comprehensive IoT security defends against, detects and reacts to threats. To defend, unauthorised ac-cess to devices, cloud infrastructure and data must be prevented. It should also include secure communication, resilience against outages, software updates, data security policies and regulatory compliance.
To detect any breach that occurs, companies must have device monitoring in place and analyse their network traffic. That way, any anomalous activity or behaviour indicative of a breach, such as a changed target URL or unusual data usage, can be picked up. To react, companies must be prepared and have au-tomated countermeasures in place. These include threat isolation, quarantining and cleaning affected devices.
All of that said, companies must also do one more thing, rehearse. There is no substitute for it. It prepares companies to take swift action should they need to, because they have rehearsed the scenario, they know what it looks like, and they have a plan ready to implement. Rehearsal can also help identify weak areas that, if addressed, could avert a problem occurring in the first place.