Implementing Emerging Guidelines

Failure to meet regulations, guidelines may lead to regional sales loss

Governments around the world are creating Internet of Things (IoT) security legislation and regulations designed to keep users safe in an increasingly connected world. Connectivity is good and, in fact, great but bad things can happen to people with unprotected or poorly protected IoT devices. Failing to meet these regulations or guidelines may lead to the inability to sell products in a region and thus to lost revenue.

Layers for Attacks in the IoT
IoT security is necessary for all the things that connect to the internet to share data. This includes smart cars, smart cities and energy, smart industry, and the smart home and its numerous consumer devices. As shown in Figure 1, the IoT architecture consists of three layers:

  • Devices that send and receive data and commands
  • A network that conveys data and commands
  • Servers, or the cloud, that gather data, analyze and send commands

IoT Security Regulations
To prevent attacks, countries and regions around the world are creating IoT security guidelines and regulations.

In 2018, the United Kingdom’s Department for Digital, Cultural, and Media & Sport published its Code of Practice for Consumer IoT Security (“CoP”) [1]. These 13 guidelines, listed in Table 1, identify good practices for IoT security. The UK is now considering making their current recommendations mandatory.

  1. No default passwords
  2. Implement a vulnerability disclosure policy
  3. Keep software updated
  4. Securely store credentials and security-sensitive data
  5. Communicate securely
  6. Minimize exposed attack surfaces
  7. Ensure software integrity
  8. Ensure that personal data is protected
  9. Make systems resilient to outages
  10. Monitor telemetry data
  11. Make it easy for consumers to delete personal data
  12. Make installation and maintenance of devices easy
  13. Validate input data

At this point, the CoP is perhaps the best-established and most targeted guidelines. In 2020, the guidelines were adopted as an international standard: ETSI EN 303 645. The European Union (EU) has announced that it will adopt these guidelines and make them mandatory. Singapore and Finland have also adopted consumer IoT cybersecurity regulations and labeling schemes.

Although these schemes were initially voluntary, they are gradually becoming mandatory. As attacks and problems mount, more countries will likely adopt these guidelines and make them mandatory. Mandatory regulations usually include penalties and, in this case, could eventually prevent the sale of products within the regulating region.

In May 2020, the U.S. National Institute of Standards and Technology (NIST) released information report (IR) NISTIR 8259A, IoT Device Cybersecurity Capability Core Baseline [2]. This document provides baseline cybersecurity best practices and guidance for IoT device manufacturers. Table 2 shows the six capabilities recommended by this document.

  1. Unique logical and physical IDs
  2. Only authorized entities can change device configuration
  3. Protect stored and transmitted data from unauthorized access and mods
  4. Restrict access to local and network interfaces, protocols and services
  5. Permit software and firmware updates using secure, configurable mechanism
  6. Report device cybersecurity state to authorized parties

In December 2020, the IoT Cybersecurity Improvement Act of 2020, previously approved by both Houses of Congress by unanimous consent, was signed into law by the president. This unprecedented unity to address a national security problem in these contentious times confirms its importance and the confidence in the solution.

The provisions contained in this bill direct NIST to develop guidelines for security of IoT devices purchased by the government. It also directs the Office of Management and Budget to develop rules for agencies to follow when they purchase IoT devices in the future. In November 2021, NIST released their guidelines as NIST SP 800-213 [3] and NIST SP 800-213A. Essentially, these guidelines say that IoT devices must meet all of the usual government cybersecurity requirements, subject to an analysis of the risks and countermeasures present in the particular context.

Two other U.S. cyber security requirements were implemented by the executive branch in response to major attacks. One was developed in response to the SolarWinds cybersecurity attack (discovered Dec 13, 2020) [4]. The other was the response to the Colonial Pipeline Cyber Attack (April 2021) [5]. In addition to activity at the federal level, other legislation in the United States is occurring at the state level [6, 7].

This growing trend of IoT security regulations seems unlikely to abate soon. Rather, governments are moving actively to address the risks that IoT devices present.

IoT Defenses
Different security defenses are required in many facets of the IoT to avoid weaknesses for exploitation to satisfy security requirements. Figure 2 identifies 10 areas, many of which are outlined in the UK CoP and other regulations. However, without the help of security experts, it is not realistic to expect IoT device manufacturers to know the right defenses to employ. Device manufacturers are experts, and even world leaders, in building equipment such as washing machines, cars, and other products. However, the required depth of knowledge in networked device security is not often readily available in their organizations

Security hardware makes it easier for product manufacturers to design and produce secure IoT devices and makes it easier for users to install and use these devices. For example, Infineon offers a wide range of security hardware products, allowing the customer to choose the product that best meets the needs of their application.

How to Meet the Toughest Regulations
A careful look at the UK Code of Practice and NISTIR 8259A shows that many of the requirements are best met with hardware security. The choice of hardware over software-based security will not change with new legislation and regulations.

Security for Today and the Future
After years of attackers exploiting IoT device weaknesses, governments around the world are finally starting to take preventive action. With its intent “to ensure that products are secure by design,” the UK Code of Practice1 provides excellent guidelines for what is needed to provide security in today’s IoT devices.

Thus, it is not surprising that these rules are being adopted in the European Union’s and Singapore’s regulations. Similar requirements are found in USA guidelines such as NISTIR 8259A. As demonstrated by NISTIR SP 800-213 and recent executive orders, these rules are tightening over time as more security is needed. To avoid premature product obsolescence, device manufacturers should adopt strong security solutions like the AIROC, PSoC and OPTIGA™ solutions that can be used to meet the increasingly stringent requirements for IoT security emerging from governments all around the world.

Doing the best job possible for designing an IoT product starts with hardware-based security to provide best-in-class security and preparation for the most rigorous security requirements --- both today and in the future.

References:
1. https://www.gov.uk/government/publications/code-of-practice-for-consumer-iot-security
2. https://www.nist.gov/news-events/news/2020/06/security-iot-device-manufacturers-nist-publishes-nistirs-8259-and-8259a
3. https://csrc.nist.gov/News/2021/updates-to-iot-cybersecurity-guidance-and-catalog
4. Executive order on improving the nation’s cybersecurity, and Security Memorandum on improving cybersecurity for critical infrastructure control systems: https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/
5. https://www.whitehouse.gov/briefing-room/statements-releases/2021/07/28/national-security-memorandum-on-improving-cybersecurity-for-critical-infrastructure-control-systems/
6. https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201720180SB327
7. https://gov.oregonlive.com/bill/2019/HB2395/

This article originally appeared in the May / June 2022 issue of Security Today.

Featured

  • Cybersecurity Awareness Month: Top Five Action Items to Elevate Your Data Security Posture Management and Secure Your Data

    October is Cybersecurity Awareness Month, and every year most tips for security hygiene and staying safe have not changed. We’ve seen them all – use strong passwords, deploy multi-factor authentication (MFA), be vigilant to spot phishing attacks, regularly update software and patch your systems. These are great recommended ongoing tips and are as relevant today as they’ve ever been. But times have changed and these best practices can no longer be the bare minimum. Read Now

  • Boosting Safety and Efficiency

    Boosting Safety and Efficiency

    In alignment with the state of Mississippi’s mission of “Empowering Mississippi citizens to stay connected and engaged with their government,” Salient's CompleteView VMS is being installed throughout more than 150 state boards, commissions and agencies in order to ensure safety for thousands of constituents who access state services daily. Read Now

  • Live From GSX: Post-Show Review

    Live From GSX: Post-Show Review

    This year’s Live From GSX program was a rousing success! Again, we’d like to thank our partners, and IPVideo, for working with us and letting us broadcast their solutions to the industry. You can follow our Live From GSX 2023 page to keep up with post-show developments and announcements. And if you’re interested in working with us in 2024, please don’t hesitate to ask about our Live From programs for ISC West in March or next year’s GSX. Read Now

    • Industry Events
    • GSX
  • People Say the Funniest Things

    People Say the Funniest Things

    By all accounts, GSX version 2023 was completely successful. Apparently, there were plenty of mix-ups with the airlines and getting aircraft from the East Coast into Big D. I am all ears when I am in a gathering of people. You never know when a nugget of information might flip out. Read Now

    • Industry Events
    • GSX

Featured Cybersecurity

New Products

  • XS4 Original+

    XS4 Original+

    The SALTO XS4 Original+ design is based on the same proven housing and mechanical mechanisms of the XS4 Original. The XS4 Original+, however, is embedded with SALTO’s BLUEnet real-time functionality and SVN-Flex capability that enables SALTO stand-alone smart XS4 Original+ locks to update user credentials directly at the door. Compatible with the array of SALTO platform solutions including SALTO Space data-on-card, SALTO KS Keys as a Service cloud-based access solution, and SALTO’s JustIn Mobile technology for digital keys. The XS4 Original+ also includes RFID Mifare DESFire, Bluetooth LE and NFC technology functionality. 3

  • ComNet CNGE6FX2TX4PoE

    The ComNet cost-efficient CNGE6FX2TX4PoE is a six-port switch that offers four Gbps TX ports that support the IEEE802.3at standard and provide up to 30 watts of PoE to PDs. It also has a dedicated FX/TX combination port as well as a single FX SFP to act as an additional port or an uplink port, giving the user additional options in managing network traffic. The CNGE6FX2TX4PoE is designed for use in unconditioned environments and typically used in perimeter surveillance. 3

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area. 3