IoT Regulation: The Carrot and the Stick
Security is a real concern among consumers when it comes to the Internet of Things (IoT) which have time and again succumbed to a litany of attacks due to poor protection mechanisms and vulnerabilities. Yet vendors remain slow to implement the 13 guidelines contained in the UK DCMS Secure by Design Code of Conduct published way back in 2018 and which aligns with the international standard ETSI EN 303-645.
To help boost uptake, the UK Department for Culture, Media and Sport put out a tender to the industry to devise a scheme that would incentivise manufacturers to demonstrate proactive security compliance to customers. The result was the IASME scheme which offers three levels of compliance – Basic, Silver and Gold – in a bid to encourage the industry to take action. Those meeting the criteria can then display the associated badge on their products, reassuring customers. It’s the carrot, if you will, ahead of the legislation expected to be brought in next year under the Product Security and Telecommunications Infrastructure (PSTI) Bill.
Avoid the stick
Comprised of two parts focused on the secure design of the Internet of Things (IoT), on the one hand gigabit-grade broadband and 5G networks on the other, the PSTI Bill will compel manufacturers, importers and distributors to observe three key elements of the secure by design framework. They must not use default passwords, put in place vulnerability disclosure and stipulate the length of time the product will be supported with security updates. These are the top three security controls enshrined in the Code of Conduct/ETSI EN 303-645 and will become mandatory, making the Bill very much the stick in this scenario.
The IASME scheme is mapped directly to all three regulations. Basic aligns with the PSTI/top three requirements of the ETSI standard, Silver with the ETSI mandatory requirements and data protection provisions, and Gold with all of the above as well as additional ETSI recommended requirements and data protection provisions. This makes it an ideal vehicle to help vendors prepare for the regulations but how well has it been adopted?
To date, all of the participants we’ve seen sign-up have gone for Gold, even though they would meet the forthcoming requirements if they opted to do the bare minimum and chosen the Basic criteria. While many of those taking part are global brands, even smaller players have plumbed for the highest accolade, suggesting those taking part recognise the value in being able to differentiate themselves in this way in a crowded marketplace.
Another key reason for the enthusiasm with which the scheme has been met is that it’s relatively easy to complete. The process is self-led, and the vendor has six months within which to complete their application. An assessor will then review the vendor’s claims and can theoretically approve the submission within 24 hours. But, of course, uptake is voluntary which will mean some vendors will only comply with the security demands under the PSTI when forced to do so.
Enforcement of the regulations
It’s unclear yet how the PSTI will be enforced and by which authority. The Bill awards the Secretary of State with the powers to enforce the resulting Act and its regulations and to delegate these to a regulatory authority and expectations are that this will fall to the Office for Product Safety and Standards (OPSS) which falls under the control of the Department for Business, Energy and Industrial Strategy (BEIS). Akin to the powers awarded under GDPR, the regulator will be able to fine non-compliant businesses up to £10 million or 4% of worldwide turnover, depending on which is the greater.
However, enforcement is still likely to be a highly complex affair due to the convoluted supply chains associated with the IoT industry. Most devices are manufactured abroad which means it could well fall to the importers and distributors to police their suppliers and ensure the security requirements are met. If they’re found in breach, we could then see some messy legal wrangling as they attempt to sue those further down the chain.
At this stage, we simply don’t know how things will play out, which is why it makes sense for those within the sector to seek to act responsibly now and do their due diligence. And for those with international operations, they may also be able to use the same security testing in other markets because the badge system we’ve seen rolled out by IASME here is also being adopted in other countries.
In the US, for instance, NIST has been tasked with laying the groundwork for a similar scheme, although it expects to appoint an overseer. In its Criteria for Cybersecurity Labeling for Consumer IoT announced back in February, it set out some of the central tenets which are set to include a declaration of conformity, third party testing/inspection and third-party certification. What’s interesting is that the document is based upon NISTIR 8259, a set of documents that baseline cybersecurity capabilities for IoT devices from an analysis of international standards and guidance, so IASME is bound to have been assessed alongside others.
However, unlike IASME, NIST has recommended that an ‘outcome based’ assessment is adopted and just a single level ‘seal of approval’. Whether further tiers will be incorporated has yet to be decided and there’s also scope to align the program with other international standards in the interests of ‘harmonisation’. The NIST guidelines have attempted to meet the needs of a wide range of IoT products and use cases, begging the question in trying to be all things to all men, will it lose potency?
What’s fascinating is that all these initiatives could herald a new dawn in IoT security. We may even see the emergence, eventually, of a global standard, akin to those ISO in GRC. Only time will tell but in the meantime the message is clear. If you want to get ahead of the game, protect your operations and score some points with the regulator, embrace these schemes. Getting compliant today could well help to insure the business against future risk and allow you to take advantage of any convergence that does then happen.
David Adams is GRC Consultant at Prism Infosec and has specific expertise in governance risk and compliance (GRC). He oversees cyber security incident exercise training and compliance with numerous industry standards. David has over 16 years’ experience in cyber security and is a CISSP, ISO 27001 Lead auditor, GDPR Practitioner, and an IASME Cyber Essentials assessor/IoT assessor.