Understanding the Risks and Regulations of IoT Security

The Internet of Things (IoT) is quickly becoming a part of our everyday lives. From smart homes to connected cars, IoT devices are transforming the way we live, work, and play. However, with this rapid advancement comes a significant concern: security.

In this comprehensive exploration of IoT security, Malcolm Kitchen, FAE - Secure Trust Provisioning at EPS Global delves into the journey towards establishing effective regulations, the real-world consequences of inadequate security, the balance between corporate and consumer risk, and the crucial role of distributors in ensuring IoT security.

We also look towards the future of IoT security, examining how evolving regulations, the proactive or reactive approaches of companies, and the increasing importance of lifecycle management will shape the landscape. As we navigate through these complex issues, we will hear from various stakeholders, including the IoT Security Foundation, Future Electronics, and NXP, all of whom play a critical role in the IoT security ecosystem.

EPS Global sits at the center of this secure ecosystem, offering a complete embedded security solution that enables manufacturers to comply with new legislation. The solution includes a low-cost, easy-to-use encryption system compatible with a wide range of microcontrollers that encrypts microcontroller code and data using Public Key Infrastructure (PKI) security techniques, authenticates microcontrollers and firmware, manages and generates required security certificates, and provides software libraries to enable cryptography in microcontrollers. Additionally, it's linked to a high-security module that generates keys and signs certificates, allowing manufacturers to retrofit existing code.

The Journey Towards IoT Security Legislation

In the rapidly evolving world of Internet of Things (IoT), security has become a paramount concern. The journey towards establishing effective IoT security legislation has been a collaborative effort involving various stakeholders, including the IoT Security Foundation (IOTSF). The IOTSF's role in shaping these regulations has been instrumental, and their journey is a testament to the complexities and challenges of regulating IoT security.

The IOTSF's journey began in 2015, with the idea of creating a product security label to help consumers distinguish between secure and non-secure products. However, they soon realized that the substance beneath the label was more critical. Consequently, they shifted their focus towards raising awareness and examining various aspects of IoT security.

The IOTSF began working closely with the UK government, and their most significant collaboration started in 2018 when they became concerned about the consumer market. Recognizing the government's responsibility to protect its citizens, especially in consumer legislation, they started discussing what they could do for consumers. This led to the creation of the Consumer Code of Practice for IoT Security in 2018, which then evolved into a piece of work within the European standards organization ETSI.

Vulnerability Disclosure

As they worked on the requirements and pathways for regulation, they also monitored the market. One key aspect they focused on was vulnerability disclosure, which is crucial for keeping security up to date over a product's operating life. Their research in 2018 found that less than 10% of companies with products on the market had a vulnerability disclosure reporting mechanism, indicating a market failure and justifying the need for regulation.

Regulating IoT security is challenging, as it's easier to get it wrong than right. Striking the right balance between setting requirements too high or too low is crucial to avoid stifling the market or making the regulations seem pointless. The UK government, along with other governments and the IoT Security Foundation, worked on establishing minimum requirements that could adapt as security issues evolve.

The regulation process began around 2018, and despite complications and the pandemic, it reached royal assent on December 6, 2020. The framework legislation sets up the powers for the Secretary of State and applies to manufacturers, importers, and distributors of connected products. On April 29, 2023, the secondary part of the regulation, which defines the specifics of the legislation, came into force. This means that by April 29, 2024, it will be a legal requirement to satisfy the minimum requirements for IoT security for any consumer products being sold in the UK market.

In conclusion, the journey towards IoT security legislation has been a long and complex one, involving various stakeholders and numerous challenges. However, the progress made so far is promising, and the future looks bright for a more secure IoT landscape.

The Real-World Consequences of Inadequate IoT Security

As the Internet of Things (IoT) continues to grow and evolve, the security of connected devices has become a critical concern. In an increasingly interconnected world, the real-world consequences of inadequate IoT security can be devastating.

Haydn Povey, a leader in Embedded Cybersecurity & Technology, formerly CEO of Secure Thingz, likens not securing your connected device to leaving your front door unlocked. This seemingly open invitation to cybercriminals can result in a multitude of detrimental outcomes. From a simple breach of privacy to the shutdown of major infrastructure, the potential damage is vast and varied.

One significant example is the Colonial Pipeline attack in the United States, which resulted in the shutdown of major oil pipelines for an extended period. This incident highlighted the real-world impact of cyber-attacks, demonstrating how they can disrupt physical infrastructure and cause widespread chaos.

The Cyber-Physical World: IT & OT Merged

Moreover, the IoT operates in the cyber-physical world, merging IT with OT (Operational Technology), where things can physically go wrong when security is compromised. This is exemplified by the increasing prevalence of cyber warfare, where the consequences of attacks are felt in the physical world. Critical infrastructure, water and sewage works, transportation systems, and homes with smart meters are all potential targets for these attacks. The reality is that these systems are all subject to attack, and the consequences of a failure or malware injection could be catastrophic because lives can be lost.

The challenge is that bad actors, often state-sponsored, have practically infinite resources. They can purchase and reverse engineer devices, and if there is any flaw in your device, they will find it. This is very much on the agenda of governments around the world, the EU, and the US.

Additionally, there are other challenges such as IP theft, counterfeiting, cloning, and overproduction. Governments are focused on securing supply chains, and every organization needs to think about their supply chain.

Why is Device Lifecycle a Security Concern?

The lifecycle of devices is another significant concern. As Haydn points out, none of the devices we ship today are in their final state because we know there will be firmware updates in the future. A key part of the legislation is managing the lifecycle of devices, updating, and patching not just computers but all internet-connected devices.

In conclusion, the real-world consequences of inadequate IoT security are far-reaching and potentially devastating. As such, it is crucial for both corporations and consumers to prioritize the security of their connected devices, not only to protect their own interests but also to contribute to the broader effort of maintaining a safe and secure digital landscape.

The Balance Between Corporate and Consumer Risk

As the Internet of Things (IoT) continues to expand, so does the shared responsibility between corporations and consumers in managing and mitigating security risks. This balance is not only a matter of technical implementation but also a strategic business decision that can significantly impact a company's reputation and bottom line.

On one hand, corporations are tasked with designing and manufacturing IoT devices that are secure and compliant with the latest regulations. This involves investing in advanced security features, implementing robust security protocols, and regularly updating their products to address potential threats and vulnerabilities. However, this is not a one-off task. The lifecycle of IoT devices is a critical aspect of security. Companies must think about how their end users, consumers, and customers' consumers will manage these devices long term.

Unfortunately, this means that a significant amount of responsibility and potential pain is being placed on corporations. With the new legislation ticking and just short of 8 months left, companies need to start implementing security measures in devices currently in production. This is because it will take approximately 12 months to roll out such a framework.

On the other hand, consumers play a crucial role in maintaining the security of their connected devices. While they may not think about how their devices get updated, they will undoubtedly be impacted by it. For instance, consumers must ensure that they regularly update their devices, use unique and strong passwords, and report any security issues they encounter.

However, the balance of risk does not end with these responsibilities. As companies' real value increasingly lies in the software running their products, protecting the intellectual property of these software becomes essential. This means that losing control of the software could be an existential risk for many companies. Therefore, the balance of risk is not just about protecting the consumers but also about protecting the companies themselves.

Security by Design, by Default, and Security First

In the face of these challenges, companies must strike a balance between corporate and consumer risk. This balance lies at a 50/50 point, where both parties must take proactive measures to manage and mitigate security risks. For corporations, this means investing in security by design, security by default, and security first. For consumers, this means being vigilant and proactive in maintaining the security of their connected devices.

In conclusion, the balance between corporate and consumer risk in IoT security is a complex and ongoing challenge. However, by adopting a security-first mindset and taking proactive measures, both corporations and consumers can contribute to a more secure IoT landscape. As the new legislation comes into force, it will be crucial for all parties to understand their responsibilities and take the necessary steps to ensure the security of their connected devices.

The Role of Distribution, Manufacturers, and Service Providers in IoT Security

As the IoT landscape continues to evolve, chip manufacturers and service providers play a pivotal role in ensuring that customers are equipped with the necessary tools and knowledge to navigate the complex world of IoT security. Companies like EPS Global, IAR, NXP, and Future Electronics are stepping up to this challenge, offering invaluable support to customers as they prepare their products for new cybersecurity legislation.

Future Electronics, with its extensive engineering service, is uniquely positioned to assist customers in their IoT security journey. The company boasts a team of over 400 engineers worldwide, dedicated to working with embedded customers and assisting them with their designs. These engineers have specialized backgrounds in wireless and processor design and have undergone rigorous training from suppliers like NXP on available security options. This builds internal expertise, enabling Future Electronics to work closely with embedded systems designers and help them understand the nuances of bringing their designs up to code.

However, the role of distributors in IoT security extends beyond the design stage.

The company also plays a crucial role in helping customers understand the landscape of IoT security. Future Electronics aims to bridge this knowledge gap, bringing expertise as a partner through distribution to help customers with their design.

Maintaining Security During Production

Moreover, the company is committed to helping customers understand the steps required to maintain security during production. This involves ensuring that code is securely transferred from the customer to the contract manufacturer or whoever is programming the chips. The company understands the ecosystem and the steps required to maintain security, depending on the supplier requirements from different semiconductor manufacturers.

In the ever-evolving landscape of IoT security, distributors like Future Electronics are more than just a link in the supply chain. They are partners, educators, and advocates, playing a crucial role in helping customers navigate the complexities of IoT security. As new legislation continues to shape the industry, the role of distributors will only become more critical, ensuring that customers are not only compliant but also confident in their ability to secure their products and protect their users.

Looking Ahead: The Future of IoT Security

As we look towards the future of IoT security, it's clear that the landscape is poised for significant change. The importance of securing connected devices is becoming increasingly recognized, not just within the tech industry, but also among lawmakers and regulators. This heightened awareness is expected to drive further legislation, potentially on a global scale, aimed at ensuring the security of IoT devices.

Stella Orr, Software Product Manager at NXP anticipates that more countries will introduce local cybersecurity regulations for IoT products. This is not just speculation; we are already observing this trend. For instance, the United States has enacted SB 327, a law in California and Oregon that stipulates IoT cybersecurity requirements. Moreover, the FDA has announced cybersecurity requirements for medical products, indicating that the scope of such regulations is expanding beyond consumer electronics to other sectors.

Proactive or Reactive Security for Connected Devices?

The increasing prevalence of such legislation underscores the urgent need for companies to prioritize IoT security. However, the future landscape will likely be characterized by a divergence in how companies approach this issue. Some will proactively invest in securing their products, thereby gaining a competitive edge, enhancing customer trust, and ensuring product availability. These companies will be well-positioned to navigate the evolving regulatory landscape, having already implemented robust security measures.

However, Todd Baker from Future Electronics warns of the potential pitfalls for companies that lag behind, reacting to legislation at the last minute. This reactive approach could lead to rushed and potentially inadequate security measures, product shipment delays, and damage to the company's reputation. Drawing a parallel with the rush to become Y2K compliant in 1999, Todd urges companies to decide which side they want to be on and make that decision today.

In conclusion, the future of IoT security will be shaped by a combination of factors: evolving regulations, the proactive or reactive approaches of companies, and the increasing importance of lifecycle management. As we move forward, it's essential for all stakeholders to stay informed, proactive, and prepared. The stakes are high, but so too are the opportunities for those who prioritize and effectively manage IoT security.