Implementing
Emerging Guidelines
Failure to meet regulations, guidelines may lead to regional sales loss By Steve Hanna
Governments around the world are creating Internet of Things (IoT) security legislation and regulations designed to keep users safe in an increasingly connected world. Connectivity is good and, in fact, great but bad things can happen to people with unprotected or poorly protected IoT devices. Failing to meet these regulations or guidelines may lead to the inability to sell products in a region and thus to lost revenue.
LAYERS FOR ATTACKS IN THE IOT
IoT security is necessary for all the things that connect to the internet to share data. This includes smart cars, smart cities and energy, smart industry, and the smart home and its numerous consumer devices. As shown in Figure 1, the IoT architec- ture consists of three layers:
• Devices that send and receive data and commands
• A network that conveys data and com- mands
• Servers, or the cloud, that gather data, analyze and send commands
Figure 1 - Every IoT layer is a potential area for an attack.
IOT SECURITY REGULATIONS
To prevent attacks, countries and regions around the world are creating IoT security guidelines and regulations.
In 2018, the United Kingdom’s De-
partment for Digital, Cultural, and Media & Sport published its Code of Practice for Consumer IoT Security (“CoP”) [1]. These 13 guidelines, listed in Table 1, iden- tify good practices for IoT security. The UK is now considering making their cur- rent recommendations mandatory.
Table 1. The 13 Guidelines in the UK Code of Practice for Consumer IoT Security [1].
1. No default passwords
2. Implement a vulnerability disclosure
policy
3. Keep software updated
4. Securely store credentials and security-
sensitive data
5. Communicate securely
6. Minimize exposed attack surfaces
7. Ensure software integrity
8. Ensure that personal data is protected 9. Make systems resilient to outages 10.Monitor telemetry data
11.Make it easy for consumers to delete
personal data
12.Make installation and maintenance of
devices easy 13.Validate input data
At this point, the CoP is perhaps the best-established and most targeted guide- lines. In 2020, the guidelines were adopted as an international standard: ETSI EN 303 645. The European Union (EU) has announced that it will adopt these guide- lines and make them mandatory. Singa- pore and Finland have also adopted con- sumer IoT cybersecurity regulations and labeling schemes.
Although these schemes were initially voluntary, they are gradually becom- ing mandatory. As attacks and problems mount, more countries will likely adopt these guidelines and make them mandato- ry. Mandatory regulations usually include penalties and, in this case, could eventu- ally prevent the sale of products within the regulating region.
In May 2020, the U.S. National Insti- tute of Standards and Technology (NIST) released information report (IR) NISTIR 8259A, IoT Device Cybersecurity Capa-
bility Core Baseline [2]. This document pro- vides baseline cybersecurity best practices and guidance for IoT device manufactur- ers. Table 2 shows the six capabilities rec- ommended by this document.
Table 2. Device cybersecurity recommen- dations identified in NISTIR 8259A.
1. Unique logical and physical IDs
2. Only authorized entities can change de-
vice configuration
3. Protect stored and transmitted data
from unauthorized access and mods
4. Restrict access to local and network in-
terfaces, protocols and services
5. Permit software and firmware updates
using secure, configurable mechanism 6. Report device cybersecurity state to au-
thorized parties
In December 2020, the IoT Cybersecu-
rity Improvement Act of 2020, previously approved by both Houses of Congress by unanimous consent, was signed into law by the president. This unprecedented unity to address a national security prob- lem in these contentious times confirms its importance and the confidence in the solution.
The provisions contained in this bill direct NIST to develop guidelines for se- curity of IoT devices purchased by the government. It also directs the Office of Management and Budget to develop rules for agencies to follow when they purchase IoT devices in the future. In November 2021, NIST released their guidelines as NIST SP 800-213 [3] and NIST SP 800- 213A. Essentially, these guidelines say that IoT devices must meet all of the usual government cybersecurity requirements, subject to an analysis of the risks and countermeasures present in the particular context.
Two other U.S. cyber security requirements were implemented by the executive branch in response to major attacks. One was developed in response to the SolarWinds cybersecurity attack (discovered Dec 13, 2020) [4]. The other was the response to the Colonial Pipeline
34
MAY/JUNE 2022 | SECURITY TODAY
INTERNET OF THINGS