IoT Compliance

DEVICES FROM THE INTERNET OF THINGS world seemed different from other network-addressable electronics early on. But with cybersecurity concerns on the rise, regulators are catching up, treating IoT devices like any other endpoint.

The IoT Cybersecurity Improvement Act of 2020 is one such effort. The bill requires the National Institute of Standards and Technology (NIST) and the Office of Management and Budget to take specified steps to increase cybersecurity for IoT devices. In response, NIST issued guidance on IoT security and created a risk management framework.

Across the pond, the EU introduced a cybersecurity standard for consumer IoT products in June 2020, and the GSM Association (GSMA), an industry organization representing mobile network operators worldwide, issued IoT Security Guidelines. Those include 85 detailed recommendations for the secure design, development, and deployment of IoT services, with an emphasis on security testing of networked cameras. "We believe this is an important first step,” says Dima Feldman, vice president of product management and marketing at Sony Semiconductor Israel.

As a rule, however, "Most laws applicable to cybersecurity generally would also overlap on IoT,” says Mark Kirstein, vice president of customer service for Cosant Cyber Security in Tempe, Ariz. He mentions HIPAA regulations as an example, since hospitals now use many IoT devices, and many touch the personal health information of patients.

So far, emerging regulations related to IoT security are fairly simple to implement, says Feldman, citing examples such as all devices should have unique passwords and use standard encryption techniques.

Looking forward, though, he foresees more restrictive regulations and certifications coming. “As IoT becomes a part of our life, it will control smart cities, the electrical grid, and other infrastructure, and it must be protected from sophisticated and even 'government level' hackers." Future compliance guidelines will demand that devices deployed in large volumes, or as part of critical systems, undergo mandatory penetration testing, Feldman adds.

How much impact new rules will make is hard to estimate. While end users tend to ignore regulations of all kinds, they’re even more likely to ignore IoT regulations. For instance, Feldman notes, users often disregard physical security guidelines for IoT devices. "Also, there are no requirements for service-level security and monitoring the state of the device."

That, along with the weak default security protections on many IoT devices, has led to unwelcome news coverage of breaches, such as DDoS attacks launched from IoT cameras back in 2017. "There is practically no regulation to make sure that future IoT devices will not issue similar or more sophisticated attacks in the future,” says Feldman.