This article appeared in Electronic Design and has been published here with permission.
IoT device security a feature no more? Recently enacted and upcoming cybersecurity regulations and standards will significantly impact how these devices are designed.
Deployment of robust embedded device security has been slow as many IoT devices ship with incomplete or improperly implemented security. In the absence of regulations, manufacturers have largely been left to their own determination on when, what, and how to implement device-level security.
However, increases in the frequency and severity of hacking attacks are motivating governments to propose regulations to improve the security posture of IoT devices. 2022 accelerated the enactment of new standards and laws that will impact the design and deployment of IoT devices in 2023 and beyond.
Automotive Leads the Way
Automotive has been one of the earlier adopters of embedded cybersecurity with the advent of electric vehicles, autonomous driving, and software-defined vehicles. Even traditional internal combustion vehicles are increasingly connected and are prime targets for hackers.
Last year saw the UNECE R155 automotive cybersecurity regulation come into effect for new vehicle type approval. Aligned with the ISO/SAE 21434 standard, R155 requires the automotive supply chain to establish and certify cybersecurity management systems (CSMS), which are designed to assess risks, manage those risks through security by design, and secure each vehicle throughout its lifetime.
Compliance with this regulation is a key focus for all auto manufacturers selling into the European market and their suppliers. 2023 is considered as a critical year to broadly drive adoption across the automotive supply chain.
Intensifying IoT Cybersecurity
The U.S. government is bringing greater attention to IoT cybersecurity. For federal and supplier networks, Cybersecurity Maturity Model Certification (CMMC) requirements and implementation of NIST SP 800-171 and 800-53 have primarily focused on IT security. However, that’s now expanding to include IoT devices handling government controlled unclassified information (CUI) data.
Network-connected equipment that was previously exempted from meeting cybersecurity requirements is now being required to implement access and management controls in addition to FIPS-validated encryption. While timetables for the enforcement of these mandates are still fluid, IoT device suppliers to U.S. federal organizations should be assessing their products and solutions for compliance with these mandates.
Medical Device Security
The FDA also took steps in 2022 to increase focus on security for medical devices by issuing a Cybersecurity in Medical Devices draft guidance update for premarket submissions. This guidance emphasizes that cybersecurity is a part of medical device safety and quality system regulations. It recommends manufacturers implement a secure product-development framework that includes threat modeling, software bill of materials (SBOMs), security by design, and lifecycle management.
The FDA also recommends best-practice security controls such as authentication, authorization, cryptography, code/data/execution integrity, confidentiality, event detection/logging, resiliency, and updatability.
Then, in December 2022, the Consolidated Appropriations Act passed and included authorization for the FDA to regulate medical device cybersecurity. This law requires medical device manufacturers to submit security monitoring and maintenance plans, support device security lifecycles through software updates, and provide SBOMs for new devices. The FDA is currently studying these requirements and will be issuing updated guidance in 2023.
IoT Security Measures in the EU
2022 also saw the enactment of the U.K. Product Security and Telecommunications Infrastructure Bill, which will require IoT device manufacturers to no longer use default passwords, confirm how long security updates will be provided after the device is launched, and disclose known vulnerabilities.
Similarly, the EU proposed the European Cyber Resilience Act to improve security for all IoT devices sold in Europe where security isn’t currently mandated. This proposal requires that IoT devices have an “appropriate level of cybersecurity enabled in devices” default configuration, prohibits the sale of products with known vulnerabilities, and that the impact of security incidents be minimized.
While both mandates leave the implementation of the needed security to be determined, these are critical first steps toward driving the adoption of broadly deployed security controls for IoT devices in Europe.
What About the Consumer?
Even the consumer markets are showing signs of increased attention to device cybersecurity. The U.S. government is currently in the definition phase for a Consumer IoT Product Labeling program that will provide security capabilities, recommended configuration, and long-term security maintenance for consumer IoT products.
In the industry side of the market, 2022 saw the approval of the Matter interoperability and security standard for smart-home devices. Matter-compliant devices have already begun to enter the market with wide support from consumer semiconductor and smart-home device manufacturers.
Conclusion
The proliferation of the broadly defined Internet of Things has brought a revolution in convenience, efficiency, information, and automation across nearly all aspects of our daily lives. However, these benefits bring greater risks to privacy, safety, and national security that are under daily attack.
Governments, device manufacturers, and even consumers are more focused on these risks than ever before as we all come to realize that basic security is no longer optional. We expect IoT device cybersecurity to accelerate in 2023 and throughout the upcoming years, with increasingly active government security regulations driving adoption broadly across the IoT device supply chain.