"If everything is connected, everything can be hacked."
Earlier this year, the EU announced a Cyber Resilience Act, which aims to strengthen Europe’s security legislation. European Commission President, Ursula von der Leyen, explained: “If everything is connected, everything can be hacked.” In other words, the growing number of connected devices will increase our vulnerability to cyberattacks. This is clearly concerning, given that more widespread implementation of Internet of Things (IoT) infrastructure is now underway.
The new legislation aims to define common cybersecurity standards for all connected devices. This will bring further support to the European security standards relating to IoT devices that are already in place.
Whenever new technology becomes available, safety and security legislation must of course keep up, with any delay potentially leaving consumers at higher risk. For example, in the UK, the first motorway opened in 1958, but no speed limit was specified until 1965, following a series of fatal crashes.
Similarly, in today’s IoT market, there is a need to solidify the security standards involved. This will mitigate the threat that consumers and their property are exposed to via hacking or cybercrime activities undertaken by malicious parties.
Most consumers assume that security is already built into the IoT products they can buy, with no set-up or subsequent configuration required for the voice assistants, smart lighting or security cameras that are an increasingly common feature of the modern home. However, this is not necessarily the case. Many take the view that; You don’t need to worry about a traditional TV or fridge being secure, so why should you act differently when you plug in your new smart speaker?
While industry alliances and government agencies have published various guidelines and cybersecurity standards establishing minimum-level security, not all IoT device makers and vendors have necessarily implemented them. This is why we regularly hear stories about the hacking of smart appliances, medical devices and baby monitoring cameras, with people’s privacy invaded and their data stolen.
As the IoT industry has not acted quickly enough with regard to self-regulation on security, governments around the world have felt compelled to step in to ensure that consumers are adequately protected. Researchers estimated that 40.8% of smart homes have at least one device in them that is vulnerable to attacks – and this figure, which is from 2019, has no doubt increased since then.
Legislation in the works
The announcement of the new EU Cyber Resilience Act is a promising start, but there is still much work to be done to fill in all the necessary details.
Technology laws can be complex, but it is essential that both industry and consumers understand the most significant implications of IoT security in relation to future regulatory measures:
#1. Secure by default: One of the most important changes needed is for governments to require that IoT products are secure on arrival. New IoT products should function out of the box, with their security features already enabled. This also means that once the consumer adds a new IoT device to their network, the device should not require any further configuration for it to be used securely. Only a few weeks ago, the UK government introduced the Product Security and Telecommunications Infrastructure Bill (PSTI) that will directly combat the practice of products being shipped with universal default passwords. In addition to these set security requirements for devices, non-compliance will now also result in penalties. This opens the door to a real impact on consumers as the bottom line of any company making or selling IoT devices in the UK will be hit if they fail to meet new standards. The EU is likely to be watching the market impact of this bill closely.
#2. Threat modelling: IoT device makers need to consider the threats and risks around how products will be developed, produced, and used. This requires research to understand how consumers will operate the product, what kind of data it will process and, most importantly of all, who might want to compromise that data. Once companies understand who the most likely attackers are, they can design products that are capable of stopping them.
#3. Breach readiness and processes: Companies must show that they can respond effectively to cybersecurity incidents. They must have an operational security incident response process to address incidents affecting their operations, as well as a product security incident response process to help customers address product-related security incidents.
#4. Secure for life: Companies developing products with longer-term deployment periods must demonstrate that, for the duration of these products’ expected lifetimes, they can securely update/upgrade the security in order to keep up with any new threats that might emerge.
#5. Secure operations: Technology manufacturers must adopt security practices within their own operations, to ensure the products that they make are secure. For example, if a manufacturer is continuously experiencing internal security breaches due to negligent or compromised network security or a lack of security management processes, it is reasonable to think that its own product security may not be sufficient.
#6. Supply chain compliance: Companies must show that they can effectively manage the risk of cybersecurity impacting their entire supply chain. Regular accountability checks must be undertaken to monitor security standard compliance over time, and as threats grow and change.
Creating common sense IoT security legislation is not simple, but it is achievable, and there is no doubt that it must be done. The UK Government and EU announcements are encouraging and validate the cybersecurity approach many companies in the industry are already taking to secure the IoT. If the industry collectively shares best practices, security technology professionals can help legislators to draft regulations that keep consumers’ data secure while enabling IoT technology to continue to thrive in our day-to-day lives.
This article was originally published on EE Times Europe.