“Mandatory regulations usually include penalties and, in this case, could eventually prevent the sale of products within the regulating region.”
Cyber Attack (April 2021) [5]. In addition to activity at the federal level, other legislation in the United States is occurring at the state level [6, 7].
This growing trend of IoT security regulations seems unlikely to abate soon. Rather, governments are moving actively to ad- dress the risks that IoT devices present.
IOT DEFENSES
Different security defenses are required in many facets of the IoT to avoid weaknesses for exploitation to satisfy security requirements. Figure 2 identifies 10 areas, many of which
are outlined in the UK CoP and other regulations. However, without the help of security experts, it is not realistic to expect IoT device manufacturers to know the right defenses to employ. Device manufacturers are experts, and even world leaders, in building equipment such as washing machines, cars, and other products. However, the required depth of knowledge in net- worked device security is not often readily available in their organizations
customer to choose the product that best meets the needs of their application.
Figure 3 shows the range of security features in Infineon’s AIROCTM, Programmable System-On-ChipTM (PSoC®), OPTI- GATM Trust and OPTIGATM TPM solutions.
HOW TO MEET THE TOUGHEST REGULATIONS
A careful look at the UK Code of Practice and NISTIR 8259A shows that many of the requirements are best met with hardware security. The choice of hardware over software-based security will not change with new legislation and regulations.
SECURITY FOR TODAY AND THE FUTURE
After years of attackers exploiting IoT device weaknesses, governments around the world are finally starting to take preventive action. With its intent “to ensure that products are secure by design,” the UK Code of Practice1 provides excellent guidelines for what is needed to provide security in today’s IoT devices.
Thus, it is not surprising that these rules are being adopted in the European Union’s and Singapore’s regulations. Similar requirements are found in USA guidelines such as NISTIR 8259A. As demonstrated by NISTIR SP 800-213 and recent executive orders, these rules are tightening over time as more security is needed. To avoid premature product obsolescence, device manufacturers should adopt strong security solutions like the AIROC, PSoC and OPTIGATM solutions that can be used to meet the increasingly stringent requirements
for IoT security emerging from governments all
around the world.
Doing the best job possible for designing an IoT product starts with hardware-based secu- rity to provide best-in-class security and prepa- ration for the most rigorous security require- ments — both today and in the future.
Steve Hanna is a distinguished engineer at Infineon Technologies.
References:
1. https://www.gov.uk/government/publications/code-of-practice-for- consumer-iot-security
2. https://www.nist.gov/news-events/news/2020/06/security-iot-device- manufacturers-nist-publishes-nistirs-8259-and-8259a
3. https://csrc.nist.gov/News/2021/updates-to-iot-cybersecurity- guidance-and-catalog
4.Executive order on improving the nation’s cybersecurity, and Security Memorandum on improving cybersecurity for critical infrastructure control systems: https://www. whitehouse.gov/briefing-room/presidential- actions/2021/05/12/executive-order-on- improving-the-nations-cybersecurity/
5. https://www.whitehouse.gov/briefing-room/ statements-releases/2021/07/28/national- security-memorandum-on-improving- cybersecurity-for-critical-infrastructure- control-systems/
6. https://leginfo.legislature.ca.gov/ faces/billNavClient.xhtml?bill_ id=201720180SB327
Figure 2 – A broad range of defenses exist to protect IoT devices.
Security hardware makes it easier for product manufacturers to design and produce secure IoT devices and makes it easier for users to install and use these devices. For example, Infineon offers a wide range of security hardware products, allowing the
Figure 3 – Infineon’s hardware-based security products span a range of capabilities.
WWW.SECURITYTODAY.COM 35
7. https://gov.oregonlive.com/bill/2019/HB2395/