How will government actions on IoT security impact the decisions I make today?

Benedikt_Abendroth · ‎Apr 28 2022

Government regulation of IoT is relatively new and still taking shape, creating a complicated and dynamic regulatory landscape for both domestic and global markets. Given the extended timelines for IoT development, procurement, deployment, and operation, IoT decision makers have a real challenge: how will decisions you make today hold up against governance yet to come? This blog series examines the frameworks and processes that governments rely on, and provides questions to help you better evaluate the choices you’re making today.

Navigating shifting tides: How will government actions on IoT security impact the decisions I make today?

Governments actively shaping IoT security landscape

In late 2021, the Singapore and UK governments became the first to announce mandatory security requirements for certain categories of IoT devices.[1] Other countries have defined guidelines, best practices, certifications, or labeling efforts. In the US, several states have introduced local legislation as well. While there are some commonalities, there are also many differences; the spectrum of security requirements is broad and one type of device might be in scope in one country but not in another. From the perspective of a manufacturer or device operator that is designing, purchasing, or operating connected devices, how do you know with which regulation a device needs to comply? What if the devices are deployed for several years? How do you navigate a landscape that continues to evolve? The goal of this blog post is to provide an overview of actions governments are taking, highlight key examples, and share questions that can help you evaluate whether your solution will be ready now and in the future. This blog post is the first in a series on this topic.

Increasing incentives for policymakers to intervene in market

Governments have a legacy of defining minimum requirements for industries or markets in which certain risks can directly affect consumers or enterprises. We are familiar with regulations for food, medicine, automobiles, air travel, and the safety of industrial machines. Failures in critical equipment or processes across any of these industries can have catastrophic consequences for consumers and employees. This Is why governments have a regulatory mandate to define and enforce a minimum bar for security and safety in these areas. The relationship between regulators and the industry is ultimately the foundation of confidence that enables us to execute everyday functions without worry: feed and care for ourselves, travel distances great and small, and have confidence in the security and safety of the equipment and machines we use at work.

In the case of IoT, as connected devices take on a greater role in our lives and workplaces, governments around the world are very aware of a growing threat landscape and increasing number of security and safety incidents. IoT solutions are increasingly powerful and insightful across many different sectors and the information they collect is proving more and more valuable to enterprises. This has made connected devices more critical to businesses, but has also exposed operations to more risks. Increasing cybersecurity incidents have raised the awareness of enterprises and governments, especially when attacks in the digital realm can impact the physical one: “the Colonial Pipeline cyberattack directly led to a shutdown of the largest conduit for gasoline in the United States. The compromise of Oldsmar water plant led to a hazardous situation, in which cyber actors obtained unauthorized access and used the SCADA system’s software to increase the concentration of sodium hydroxide […] in the water. The hack of a security camera provider exposed sensitive footage from hospitals, police departments, and a plethora of other companies.”[2] In the face of these threats, organizations need to better protect their devices and OT equipment that becomes essential when connected.

It is hard to argue that the market itself has sufficiently addressed this challenge at scale; many manufacturers continue to rush to market with unsecured or un-securable devices. According to the UK’s Department for Digital, Culture, Media & Sport (DCMS), “research shows that four in five manufacturers of connectable products do not implement appropriate security measures.”[3] And in the absence of easy-to-understand labels, the average consumer currently has no accessible way to differentiate a more secure product from a less secure one. In response to these challenges, an increasing number of local, national, and regional government bodies are acting to change that.

Can’t see the forest for the trees: Wide range of government actions and impact

There is a growing list of countries that already have or are in the process of taking actions related to IoT device cybersecurity, adding to an already complex and dynamic regulatory landscape. According to Arm’s “PSA Certified Security Report” from 2021, in a survey conducted with 628 technology decision makers, 48 percent of respondents see differing standards and regulations as a top challenge, “while 42 percent cite a lack of understanding or expertise within their business.”[4] There are many different lenses through which a technology decision maker can assess the developments and complexity of the landscape. Type of actions, geographies, device category, security strength—there is no right or wrong criterion, as the needs of consumers and device operators vary significantly. Let’s consider the types of government actions with a non-exhaustive list of examples to establish a foundational understanding of the landscape.

Although industry voices are important and can influence the regulatory landscape, for this blog we cover only actions taken by governments or by forums in which governments are stakeholders (e.g., standards or certification bodies). Actions that affect IoT devices can take place on a local level within a country, at a national level, or they can cover multiple countries within a region, such as the European Union. In addition, the types of actions are diverse: recommendations, voluntary programs, education, laws, norms, requirements—to name just a few. Not every policy measure targets all IoT devices; sometimes they only apply to a specific sector or device category, such as consumer devices or critical infrastructure.

Voluntary guidelines and best practices are probably the type of action used the most, often as first step before statutory measures are taken. The goal is usually to provide manufacturers with recommendations on how to improve the security of the devices they’re building and the technical level varies strongly, from simple high-level recommendations such as “don’t use default passwords,” to more technical recommendations for the engineers and developers who build the devices.[5] While guidelines and best practices are not mandatory, they can sometimes be the foundation for stringent government actions in the future. A prominent example would be the “Code of Practice for Consumer IoT Security,” published by DCMS in the UK in October of 2018. The purpose of the document was to “support all parties involved in the development, manufacturing, and retail of consumer IoT with a set of guidelines.”[6] In the US, the National Institute of Standards and Technology (NIST) published the “NISTIR 8259 Series,” with examples such as “Foundational Cybersecurity Activities for IOT Device Manufacturers” in May of 2020.[7] It describes “recommended activities related to cybersecurity that manufacturers should consider […].”[8] In contrast to the UK’s publication, NIST’s publication has a much wider scope by defining IoT devices in a way that’s independent of their use case and can include enterprise and industrial use cases as well. NIST has also developed additional guidance, including a “Profile Using the IoT Core Baseline and Non-Technical Baseline for the [US] Federal Government”[9]

Standards are often an important step towards more targeted measures and to align with the industry on the what and the how of security for IoT devices. A wide range of stakeholders often drive the development of standards, among them advocates representing various industries, researchers, academia, consumer protection, and other organizations representing civil society. Governments and their responsible agencies often participate at a minimum (depending on the standard organization) and can decide what to use as the basis for measures, such as certification or legislation described below. As a result, the process of developing a standard often takes much longer compared to voluntary guidelines, and they are usually much more technically focused, often describing specific security targets (indiscriminately with or without guidance on how to achieve those). A prominent example from the consumer IoT space is “ETSI EN 303 645,” a European standard that outlines baseline security provisions for consumer IoT.[10] It is based on the previously mentioned “Code of Practice for Consumer IoT Security” and has become a global center of gravity for governments as they determine what security baseline to promote or eventually require in a consumer IoT target vertical.

Certification and labeling programs for IoT security have seen a significant increase over the last two years. In November 2019, Finland became the first country to put in place a voluntary cybersecurity label for certain types of IoT devices sold within the country.[11] According to Traficom, the Finnish Transport and Communications Agency, the goal was “to raise consumer awareness of information security and the safe use of connected devices.”[12] In June of 2020, Singapore’s Cybersecurity Agency of Singapore (CSA) launched the Cybersecurity Labeling Scheme (CLS) for consumer devices. Both countries’ labeling schemes are based on ETSI EN 303 645 requirements for a certification that allows use of the respective labels (at different tiers with corresponding levels of security). Finland and Singapore even announced a mutual recognition effort of labels so that certified devices in one country don’t have to go through the full certification process again in the other.[13] In the US, NIST published “Recommended Criteria for Cybersecurity Labeling of Consumer Software” in February of 2022, which details “1) the role of a scheme owner in a labeling program; 2) baseline technical criteria […], 3) labeling presentation criteria; 4) conformity assessment criteria; and 5) a detailed discussion concerning consumer education and usability.”[14] All of these elements play an important role in whether a labeling program will be meaningful or not and illustrate the additional complexity and effort for all stakeholders involved (including both the government and industry). What differentiates certification and labeling programs from voluntary guidelines and standards is that they are not just addressing the IoT device manufacturers and suppliers, but also the consumers. Ultimately the goal is to equip consumers or companies managing their OT equipment with means to factor in the security of a connected device at the point of purchase, with the intention that manufacturers will be incentivized to differentiate from their competitors by providing better security.

Mandatory requirements and legislation are the strongest form of actions a government can take to shape the IoT landscape. In the US, the “IoT Cybersecurity Improvement Act of 2020” will mandate security requirements for US federal agencies procuring IoT devices.[15] As of October 12, 2021, all Wi-Fi routers sold for local use in Singapore are required to comply with the “IMDA Equipment Registration Framework”[16] and attain level 1 of the Singapore CLS mentioned above.[17] In the EU, the “Radio Equipment Delegated Act,” was adopted on October 29, 2021, with "legal requirements for cybersecurity safeguards, which manufacturers will have to take into account in the design and production of concerned devices.”[18] It covers certain categories of wireless devices that are capable of communicating over the Internet, including toys, baby monitors, and fitness trackers, amongst others.[19] In November of 2021, UK’s DCMS announced “[a] new law [that] will require manufacturers, importers and distributors of digital tech which connects to the internet […] to make sure they meet tough new cyber security standards.” Called the “Product Security and Telecommunications Infrastructure Bill (PSTI)”, it “will allow the government to ban universal default passwords, force firms to be transparent to customers about what they are doing to fix security flaws in connectable products [including the minimum amount of time a product will receive security updates and patches], and create a better public reporting system for vulnerabilities found in those products.”[20] The law will be overseen by a new, yet-to-be-assigned regulator with the power to issue fines up to 10 million GBP or four percent of annual global turnover.[21] The bill is currently going through the passage process in the UK parliament and might be subject to further changes at the time of writing.[22]

A snapshot in time: Landscape and government actions will continue to evolve

As technology evolves, so will the threats they face and the potential consequences of security incidents on consumers and enterprises. Governments are very aware of that. According to Singapore’s CSA, the agency will “monitor the response to the scheme and consider when it will be suitable for the labeling scheme to be made mandatory for IoT consumer devices.”[23] A spokesman for UK’s DCMS stated that the intention for the scope of the legislation to be adaptive to make sure that the legislation can keep up with new and emerging threats to consumer devices.[24] According to the Cybersecurity Tech Accord, a global consortium of technology companies (incl. Microsoft), it is expected that regulators will “focus increasingly on at least these first three [of UK DCMS’ requirements mentioned above] cybersecurity criteria in the near term with the option to expand their focus later […].”[25] In addition, labeling schemes that are voluntary can become mandatory, and products that were out of scope can come into scope. Singapore’s CLS was initially introduced to cover Wi-Fi routers and some home hubs only, but “has since been extended to include all categories of consumer IoT devices […].”[26]

From the perspective of a manufacturer or enterprise that designs, purchases, or operates an IoT solution deployed for several years in the field, observing the policy landscape and its potential impact can be daunting. Because government action on IoT security is incredibly dynamic, it can conflict with the timeframe for making critical IoT decisions, from procurement to when devices are retired. Governments are aware of that, but have to balance the interests of manufacturers and the industry. So, what’s the answer?

As Niels Bohr, a Danish physicist and the father of the atomic model, said, “Prediction is very difficult, especially about the future.” Starting from the very beginning of an IoT device’s lifecycle, anyone making decisions that affect what IoT solution to build or procure should ask certain questions to can help inform their decisions.

Questions to ask before designing, building, or buying your IoT solution

There are many considerations that device operators should take into account when evaluating how government regulation may affect IoT decisions. These questions may not apply equally to every decision maker. However, through extensive conversations with customers, we’ve found that the following top five questions are a good starting point for most:

Where will my devices be used or sold, and what type of government actions on IoT security are in effect there?
Is my manufacturer/operator/supplier monitoring government actions on IoT security and how they affect my solution?
If my IoT solution consists of multiple elements from different suppliers, do I understand the responsibilities of each and whether the overall solution meets the bar for a particular certification/label/requirement?
Are there any industry or policy trends that might inform potential government actions where there are none today?
How effective are the requirements from any given certification/label/requirement at meeting my own security goals and at mitigating the risks my solution may be exposed to over its full lifetime?

It is also important to note that the questions above should not just be asked once, but throughout the full lifecycle of a device.

Securing IoT devices is a journey and not a destination

According to FireEye CEO Kevin Mandia, “you can’t play perfect defense every day.”[27] Meeting guidelines, standards, certifications, labels, and mandatory requirements is important, but it does not ensure that a device is impenetrable. Regulations should not be the only factor when assessing the security of a connected device. Security needs can differ and should always be assessed with the expected use cases and associated risks, in addition to any action governments may take. What is highly secured today, is not necessarily tomorrow. Taking that into account when a decision is made can help improve security and durability of IoT devices.

In talking to customers, we’ve found that most look at the geographical distribution of devices in use as a guide for assessing how government actions will affect their solutions. In future blog posts in this series, we will dive deeper into specific regions and cover their government actions in more detail. Stay tuned!

At Azure Sphere, our goal is to always listen to our customers' needs and learn how we can address them. If you would like to speak to our team about this topic and our solution, feel free to contact us at azuresphereresearch@microsoft.com.

[1] For Manufacturers (csa.gov.sg) & Is the UK government’s new IoT cybersecurity bill fit for purpose? | TechCrunch

[2] Microsoft Digital Defense Report OCTOBER 2021, “SCADA” stands for “Supervisory Control and Data Acquisition”

[3] New cyber laws to protect people’s personal tech from hackers - GOV.UK (www.gov.uk)

[4] PSA_Certified_2021_full_report.pdf (psacertified.org)

[5] In some cases consumers can be the target audience as well, with educational campaigns and promotions on “don’t use weak passwords” for example in contrast to the engineering/developer audience.

[6] Code of Practice for Consumer IoT Security - GOV.UK (www.gov.uk)

[7] NISTIR 8259 Series | NIST

[8] NISTIR 8259, Foundational Cybersecurity Activities IoT Device Manufacturers | CSRC

[9] Convergent Evolution: SP 800-213, the Federal Profile, and the IoT Cybersecurity Catalog | NIST

[10] EN 303 645 - V2.1.1 - CYBER; Cyber Security for Consumer Internet of Things: Baseline Requirements (...

[11] Information security requirements for smart devices: are companies ready? | Traficom

[12] Finland becomes the first European country to certify safe smart devices – new Cybersecurity label h...

[13] About (csa.gov.sg)

[14] Recommended Criteria for Cybersecurity Labeling of Consumer Software | CSRC (nist.gov)

[15] H.R.1668 - 116th Congress (2019-2020): IoT Cybersecurity Improvement Act of 2020 | Congress.gov | Li...

[16] Equipment Registration Framework - Infocomm Media Development Authority (imda.gov.sg)

[17] For Manufacturers (csa.gov.sg)