During the past weeks, on both sides of the Atlantic, important legislations have been in the pipeline that aim at making consumer IoT products more cyber secure.

EU: Delegated Act to the Radio Equipment Directive

On 29. October 2021, the European Commission adopted the Delegated Act on Cybersecurity to the Radio Equipment Directive (RED), which aims to improve the cybersecurity of wireless devices available on the European market. To defend consumers from cyber threats and protect their privacy and personal data, the act lays down new legal requirements for cybersecurity safeguards, which manufacturers will have to take into account in the design and production of the concerned products. The act is a step in establishing a comprehensive set of common European cybersecurity standards for wireless products (including connected objects) and services.

The proposed measures cover wireless devices such as mobile phones, tablets and other products capable of communicating over the internet; toys and childcare equipment such as baby monitors; as well as a range of wearable equipment such as smartwatches or fitness trackers.

The delegated act will be complemented by a Cyber Resilience Act, aiming to cover more products, looking at their whole life cycle. Both acts are part of the new EU Cybersecurity Strategy that was presented in December 2020.

If no objection is raised by the European Parliament and the Council, the delegated act will enter into force end of December 2021, after which manufacturers will have a transition period of 30 months to start complying with the new legal requirements, i.e. they will not become applicable before mid-2024, in order to respect the timeline of industrial processes. The delegated act will be applicable to any manufacturer that intends to place a product on the EU market.

The European Standardisation Organisations will be requested to develop the relevant standards the manufacturers will have to comply with. The standards will be developed with the participation of industry and will be assessed by the Commission against the essential requirements laid down by the EU legal framework.

Before placing their products on the EU market, manufacturers will either have to perform a conformity self-assessment – if their product has been designed in accordance with harmonised standards or will have to get a third-party assessment performed by an independent inspection body, regardless of whether or not a harmonised standard was used.

The delegated act only sets out essential requirements. Manufacturers are free to choose the technical specification to comply with the legal requirements. National Market Surveillance Authorities will be responsible for ensuring that only safe and compliant products are placed on the market.

As the act will not apply to devices, which come to market before the act comes into force mid-2024, it will take quite some time before European consumers will be widely protected against cyber threats.

The full text of the delegated act can be downloaded from: https://ec.europa.eu/growth/system/files/2021-10/C_2021_7672_F1_COMMISSION_DELEGATED_REGULATION_EN_V10_P1_1428769.PDF.

United Kingdom: Product Security and Telecommunications Infrastructure (PSTI) Bill

On 24. November 2021, the UK government introduced the Product Security and Telecommunications Infrastructure (PSTI) Bill to the UK Parliament.

Part 1 of the bill covers the Product Security measures. It aims to protect consumers of all connectable products from cyber harm such as loss of privacy and personal data.

Under the bill, a consumer connectable product is an internet-connectable or network-connectable product, like smart TVs, smartphones and speakers, children’s toys and baby monitors, safety-relevant products such as smoke detectors and door locks, wearable fitness trackers, home automation and alarm systems, connected appliances, such as washing machines, fridges and smart home assistants. Any “connectable” product will be subject to the new rules. The only major exemption is for desktop and laptop computers as they are served by a mature antivirus software market.

The security requirements will:

• Ban the use of default passwords. All devices must come with unique passwords and cannot be resettable to any universal factory setting.
• Require manufacturers to alert customers at the point of sale, and keep them updated, about how long a product will receive vital security updates and patches. If there are no such plans in place, that must also be disclosed.
• Require products to have a vulnerability disclosure policy. A point of contact must be made available to make it easier for security researchers and others to report when they discover flaws and bugs in products.

The law will apply not only to manufacturers but also to other businesses including both physical shops and online retailers. Retailers will be forbidden from selling products to UK customers unless they meet the security requirements and will be required to pass on to customers important information about security updates.

The new cyber security regime will be overseen by a regulator, which will be designated once the bill comes into force and will have the power to fine companies for non-compliance up to £10 million or four per cent of their global turnover, as well as up to £20,000 a day in the case of an ongoing contravention.

Once the bill passes both houses and receives royal assent, the government will provide at least 12 months’ notice to enable manufacturers, importers and distributors to adjust their business practices before the legislative framework fully comes into force.

Part 2 of the bill covers the Telecommunication Infrastructure measures and will make changes to the Electronic Communications Code, providing the necessary legal reforms to support the nationwide rollout of 5G networks.

The full text of the bill can be downloaded from: https://bills.parliament.uk/publications/43895/documents/1050.

USA: National Institute of Standards and Technology (NIST) – Cybersecurity Labelling for Consumers: Internet of Things (IoT) Devices and Software

On 12 May 2021, President Biden signed an Executive Order to modernize and implement stronger cybersecurity standards, improve software supply chain security, and protect federal government networks.

Section 4 of the Executive Order directs the National Institute of Standards and Technology (NIST) to initiate two labelling programs: one to take into account existing labelling programs on cybersecurity capabilities of Internet-of-Things (IoT) consumer devices and one on software development practices. NIST also is to consider ways to incentivize manufacturers and developers to participate in these programs. (The agency also received several other directives to enhance the security of the software supply chain.)

In August, NIST released a white paper for public comment recommending a draft set of potential baseline security criteria for IoT devices. On 2 December 2021, taking public feedback into account, NIST released a further discussion paper “Consumer Cybersecurity Labelling for IoT Products: Discussion Draft on the Path Forward”. It has identified three key elements that could provide the foundation for an approach to a cybersecurity label for consumer IoT devices:

• What cybersecurity capabilities the product must demonstrate (Product Criteria)
• How the information is provided (Labelling Recommendations)
• How there can be confidence in the label (Conformity Assessment)

These three elements combined form a labelling approach that provides information to consumers with appropriate assurance.

This latest discussion draft can be downloaded from: https://www.nist.gov/system/files/documents/2021/12/03/FINAL_Consumer_IoT_Label_Discussion_Paper_20211202.pdf.

NIST is to publish details about the IoT cybersecurity criteria for a consumer labelling program (and the secure software development practices) by February 6, 2022.

IoTAC will assess the requirements defined in these documents and will adopt solutions and technologies, which will let the IoTAC modules comply with the new regulations.

While the Zero Trust Model of Cybersecurity was created by John Kindervag back in 2009, it has become a buzzword in recent years, and more of a priority due to COVID-19 and the remote work economy, as it offers an optimal way to address current security challenges for a cloud-first, work from anywhere world.

What is Zero Trust?

The traditional approach to cybersecurity is determined by the concept of what is inside the corporate firewall can be trusted. Organizations protected themselves by putting a perimeter around their network, everyone inside the network was trusted, and everyone outside the network was not. The organizations were operating under the motto “Trust, but verify.” In the trust-but-verify model, trust is the default. When identity is verified, trust is assumed, and access is granted. But identity credentials can be stolen, networks can be hacked, and it is impossible to know with certainty if the originator of network traffic can truly be trusted. The perimeter-based security offers insufficient protection against the advanced persistent cyber threats targeting us today. Once an intruder is discovered in the system, it is already too late. If a hacker breached the network, they had access to everything inside the perimeters.

John Kindervag, back then working as a security analyst with Forrester, created the concept of Zero Ttrust, which is based on the principle that no network user, packet, interface, or device—whether internal or external to the network—should be trusted. Zero Trust eliminates the concept of trust from cybersecurity strategy, and every user, packet, network interface, and the device is granted the same default trust level: zero. Users inside a network are no more trustworthy than users outside a network. Zero Trust assumes that all traffic in an organization’s network is threat traffic and restricts access to any data only to those authorized.

The concept of Zero Trust is “Never trust, always verify”. Networks should be designed without implicit trust, enforcing strict identity verification and access policies based on the least-privilege principle for every user, device, or application, regardless of whether they are located within the former local area network or somewhere on the Internet.

The verification process is one of the key aspects of zero trust, assuming that the end-user, device, and network from which they are requesting access are hostile until proven otherwise. Every access request to a resource must be thoroughly evaluated dynamically and in real-time based on access policies in place and the current state of credentials, device, application, and service, as well as other observable behaviour and environmental attributes before access may be granted. A user may be verified and granted access to a specific resource, but all other resources are kept invisible (“blacked out” or “dark”) to them, and will still need to be reverified to access another resource. The continuous review prevents the lateral movement of bad actors from spreading from compromised systems within network environments.

 Identity is the new perimeter

With widespread mobile access and cloud computing, organization perimeters have dissolved, and organizations can no longer assume that users in a network should be trusted. A perimeter is needed around every user, which accesses data in the organization. In today’s digital landscape, identity is the new perimeter.

Identity and Access Management (IAM) policies and technologies become central in controlling users, devices, data, and their networks, as they provide visibility and control over which users have access to what resources and minimize risks such as compromised credentials or incorrect provisioning or authentication.

By evolving the network-centric focus and considering areas such as Identity and Access Management and Privileged Access Management (PAM) amongst others, the term Zero Trust eXtended (ZTX) Ecosystem was born in 2017, by Forrester analyst Dr Chase Cunningham.

Actually, identity-first security is listed as one of the eight security and risk trends this year, in Gartner’s recent “Top Security and Risk Trends for 2021”¹.

NIST “Zero Trust Architecture”

In 2015 a data breach at the U.S. government Office of Personnel Management (OPM) exposed 22.1 million records of personally identifiable information of people who had undergone background checks. This was one of the largest breaches of U.S. government data in history and sparked initiatives to improve and modernize the U.S. government’s security framework.

In August 2020, NIST, the US National Institute for Standards and Technology, published a special publication 800-207 “Zero Trust Architecture”, with the goal to secure U.S. government information systems and infrastructures. The document formulates the following definition: “Zero Trust (ZT) provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised. Zero trust architecture (ZTA) is an enterprise’s cybersecurity plan that utilizes zero trust concepts and encompasses component relationships, workflow planning, and access policies. Therefore, a zero trust enterprise is the network infrastructure (physical and virtual) and operational policies that are in place for an enterprise as a product of a zero trust architecture plan.”²

Zero Trust for IoT/OT device security

IoT/OT device security is one of the hardest problems to solve within the enterprise. The IoT device explosion has introduced a massive area of potential compromise for networks and enterprises.

This has led to the reconsideration of the concept of identity – every connected thing has an identity and must be under scrutiny within the Zero Trust Framework. But truly understanding every device requires much more than simply identifying their IP addresses, manufacturers, and model numbers – comprehending business context, traffic flows and risk potential is essential.

Implementing a Zero Trust model

The Zero Trust concept requires a major shift in many aspects of IT (and business processes) of an organization which cannot be completed overnight. Organizations work to implement a Zero Trust architecture built around identity-driven security practices, i.e. integrate the security architecture with an IAM solution.

For the Whitepaper “The State of Zero Trust Security 2021”³ OKTA conducted a survey of 600 security decision-makers at global companies across multiple industries and asked what other tools they have integrated or plan to integrate with their IAM system. The survey found that the most common integrations in place today were endpoint protection (EMM) and cloud access security brokers (CASB) — at 77% and 69% of companies (see Figure 1). Most companies selected security information and event management (SIEM) as the most important tools to be integrated with IAM for supporting Zero Trust protection (see Figure 2).

Figure 1 – OKTA Survey³: Tool Integration

Figure 2 – OKTA Survey³: Most Important Tools to Integrate

 

Cyber-attacks today are identity-based and credential-based intrusions, against which perimeter-based security no longer provides protection. The solution is Zero Trust, with the “never trust, always verify” approach, and assigning just enough privilege at just the right time. This concept supports mobile and remote workers as well as the ever-growing number of IoT devices.

IoTAC with its Front-End Access Control system provides a tool that supports the Zero Trust paradigm which is further enhanced by the complementary runtime security modules, the secure IoT gateway, the AI-based attack detection module, the honeypot and the runtime monitoring system of the overall architecture.

 

References:

1. Gartner Top Security and Risk Trends for 2021 https://www.gartner.com/smarterwithgartner/gartner-top-security-and-risk-trends-for-2021/
2. Zero Trust Architecture https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf
3. The State of Zero Trust Security 2021 https://www.okta.com/sites/default/files/2021-07/WPR-2021-ZeroTrust-070821.pdf