Electronics Weekly Electronics Design & Components Tech News
Cybercriminals exploit the multiple vulnerabilities in the smart IoT devices in homes. Using smart devices, whether voice-controlled speakers, smart doorbells or light switches, hackers can access entire networks by just connecting to one system; sometimes without requiring an internet connection.
Consumers are becoming more aware of the potential security risks of smart devices. A recent study surveying 1,000 UK IoT consumers on their attitude to smart tech found that 81% of respondents are more inclined to purchase products that are certified as sufficiently secure from cyberattacks and invasion of privacy, while 73% find that independent testing against cyber vulnerabilities is a key factor influencing their purchases.
Making IoT devices more secure can be very complex and challenging. Some key considerations can help electronic product designers better understand the state of the global regulatory market and there are some best practices to keep in mind when pursuing independent testing certifications to increase consumer confidence in IoT device safety.
Governance and regulatory environment
Governments are continuously working on the development of new legislation to help increase the security of connected products, setting a diverse range of standards to be met before accessing the local market.
The current regulatory environment around IoT security is disjointed, with different legal bodies co-ordinating the security standards for different countries and applying different forms of oversight for IoT development. For instance, in the US, the National Institute of Standards and Technology informs IoT regulations for devices acquired by the federal government, complying with the IoT Cybersecurity Improvement Act of 2020, allowing IoT device manufacturers to adopt co-ordinated disclosure and leaving a product’s security features to their discretion. The laws do not apply in the states of Oregon and California, however, which abide by alternative and distinctive IoT cybersecurity laws.
At the European level, product developers must comply with the future Cyber Resilience Act, proposed in September 2022 by the European Commission and which is currently at a redrafting stage. This legislation will encompass various devices, interconnected hardware, software and associated services. Manufacturers, importers and distributors of these products would need to ensure compliance throughout the entire lifecycle of the devices. In the UK specifically, the government relies on different legislation, such as the recently enacted Product Security and Telecommunications Infrastructure Act, which affects security and vendors manufacturing IoT/networked products.
To help product developers navigate the complex web of regulations around IoT systems, third-party experts with specialised knowledge of the IoT sector acting as partners can offer fresh insight into the evolving global regulatory landscape and help co-ordinate compliance among the standards of regulatory bodies, industry alliances and organisations.
Collaborating with a third-party expert brings independent validation and certification. Manufacturers can earn internationally recognised certifications by undergoing rigorous audits and assessments, instilling confidence in consumers, partners and regulatory bodies alike.
Testing and compliance
Working with an independent third party mitigates risk and allows developers to concentrate on product innovation and emerging technologies.
There are some regulations, for example, the Payment Card Industry Data Security Standard, for all entities that process, transmit or store cardholder data, and the Health Insurance Portability and Accountability Act, a health data security rule affecting all European providers active in the US market, which have a mandated periodic penetration testing to remain current with their requirements.
Penetration, or pen, testing simulates a cyberattack to identify any weak spots in a system’s defences that can be exploited by cybercriminals. The test involves structured security assessments for exploiting software vulnerabilities with extensive hacking techniques including embedded systems analysis and firmware evaluation.
The test aims to identify weak points missed during the development process and it is usually recommended that a third party perform it, which needs more prior knowledge of how the system is secured. This outside contractor can work as an ‘ethical hacker’, hired to hack into a system to increase its security.
While penetration testing might not be explicitly referred to among other IoT-focused security laws, it is widely recognised as a crucial component of an effective security strategy in testing and measurement practices. It is among the “appropriate technical and organisational measures” required to comply with the General Data Protection Regulation (GDPR).
Rating IoT security
Implementing strong security measures for IoT devices requires significant time and effort, along with associated costs for integrating security and updates into more complex IoT designs. IoT systems consist of various processing elements and codes executed in different locations requiring different levels of physical and logical security. Having multiple locations can increase the system’s complexity and often requires manufacturers to use highly skilled personnel to assist in testing procedures, increasing overall production costs.
Manufacturers rely on security rating systems to identify the appropriate level of security required by different IoT devices, allowing customers to choose the best security options that fit their needs.
For example, some IoT devices do not need direct internet access, limiting hacking risks and data storage. These devices also have limited processing and bandwidth capabilities, which rate them as low priority for security risks. Manufacturers can thus rate systems with limited direct internet access as less vulnerable than those on the network periphery, which require a higher security rating.
Manufacturers also face the challenge of predicting how users will employ their IoT systems and how this may impact the security of their products.
Even though some IoT devices such as Wi-Fi light bulbs do not need to be directly connected to the internet, users may choose to do so without realising it can pose a higher risk. To determine the risks a system poses, it is helpful to ask general questions about its security scope. This provides vendors and manufacturers with a guideline to establish a minimum level of security that is suitable relative to costs. However, it is important to strive for a high level of security as the desirable standard.
Assessment and development
A staged approach is often the best practice to comply with regulations and to weigh commercial factors and risks. It involves implementing a minimum base of security for all devices and increasing security measures for systems posing greater risks.
Reducing exploitation and identifying vulnerabilities is a never-ending task. To anticipate emerging cyber threats, product developers should enable a culture of prevention around IoT security. Some examples of how best to enable regular gap assessments practices include establishing a support network of best practices and customised programmes and training. This can help companies build education standards, and set new cybersecurity objectives throughout the organisation and supply chain. It can also establish a secure development lifecycle incorporating cybersecurity into the design, testing and maintenance of a product’s lifecycle and promote good cybersecurity in products and systems.
Enhancing the security of IoT systems can be challenging and expensive, further complicated by the ever-changing regulatory landscape. Overall, it is difficult to anticipate future changes within the industry: new compliance issues might emerge in regions where they are currently absent, or some already deployed IoT devices might require further updates to meet new regulations.
One new initiative that is likely to bring about significant change within the European regulatory environment is the Cyber Resilience Act, which will impose stricter cybersecurity regulations on manufacturers of IoT smart devices. Manufacturers will be required to assess the risk profiles of products and address any identified vulnerabilities. They must also promptly notify authorities within 24 hours if any issues or threats are discovered. Non-compliance with these provisions could result in significant fines of up to €15m or 2.5% of global turnover and potential sales bans.
This initiative, existing regulations, commercial interests and substantial financial penalties will shape the consumer IoT market from the last quarter of 2023. The impact of these measures is expected to extend beyond the smart home sector and spill over into new areas, such as the wellness industry. As consumers become more aware of the data and recommendations generated by their wearable devices, they will likely demand stronger security measures in a similar way to how the payments sector was shaped by GDPR.
While governments worldwide are working to implement better regulations around the security of connected devices, harmonising standards among different markets remains a challenge. Third-party experts and independent certification play a role in guiding product developers through the intricate web of regulations required to launch a product while helping instil more confidence in IoT consumers when purchasing these devices.
Finally, by instilling a culture of prevention around IoT security, manufacturers can stay ahead of evolving threats and help increase the long-term security of their IoT products.
