IoT Security Regulations: Compliance Checklist – Part 1

The Internet of Things (IoT) refers to a global network of physical devices connected to the Internet that are capable of collecting and sharing data. IoT devices range from everyday household items to advanced industrial tools. By integrating sensors and communications equipment, IoT bridges the gap between the physical and digital worlds, creating environments where smart devices operate interconnectedly and autonomously.

The growth of the Internet of Things is driven by the increasing availability of affordable computing power and connectivity, advances in data analytics and artificial intelligence, and the cost-effectiveness of data storage. As a result, IoT has spread to smart home products, health monitoring, smart transportation, and optimized manufacturing processes.

This two-part series will examine existing IoT regulations from different countries. Part 2 will explore methods for achieving safety compliance with these regulations in mind.

Current IoT security regulations

IoT security guidelines, cybersecurity frameworks, and regulatory requirements aim to protect IoT systems and their users from cybersecurity threats. These regulations aim to ensure that IoT devices, networks and data processing practices are secure against unauthorized access, manipulation or attacks. Some countries have regulations or government guidelines that specifically address IoT devices, while others have general cybersecurity laws that also impact IoT devices.

Various regulations address risks related to device security, data privacy, and network integrity. As IoT technology permeates various sectors, consistent regulatory practices are essential to prevent large-scale security vulnerabilities.

All regulations share common themes, including requiring minimum safety measures, promoting best practices in design and development, and requiring regular updates and revisions. They also provide for compliance checks and penalties for lapses, creating a structured environment conducive to more secure IoT deployments.

Main IoT security regulations by region

North America

US IoT Cybersecurity Improvement Act of 2020

The IoT Cybersecurity Improvement Act of 2020 is the first law to specifically address the security of IoT devices. Under these regulations, an IoT device is defined as a device that has at least one sensor or actuator capable of interacting with the physical environment, at least one network interface, and the ability to operate autonomously, rather than as part of a larger system. Interestingly, the act does not apply to devices such as smartphones and laptops.

A critical component of this legislative effort is the guidance developed by NIST, specifically the NIST SP 800-213 series. This series includes the IoT Device Cybersecurity Guidelines for the Federal Government and the IoT Device Cybersecurity Requirements Catalog. The latter offers a detailed framework that aligns with broader cybersecurity standards such as SP 800-53 and the Cybersecurity Framework. These guidelines have been refined through extensive public feedback and collaboration, emphasizing a commitment to evolving IoT security standards that are practical and adaptable to a variety of federal applications.

Importantly, the bill prohibits federal agencies from acquiring or using IoT devices deemed noncompliant with NIST standards.

Canadian Personal Information and Electronic Documents Protection Act

The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada’s primary legislation governing how private sector organizations manage personal information in commercial activities. PIPEDA covers a broad spectrum, applying not only to businesses engaged in commercial transactions, but also to the personal information of employees in federally regulated industries. It defines “personal data” broadly and requires that this information be processed in a way that respects an individual’s privacy.

In the context of the Internet of Things (IoT), PIPEDA imposes specific requirements to ensure that organizations comply with the principles of responsibility and consent and limit the use, disclosure and storage of personal data collected through IoT devices. These regulations require manufacturers and operators of IoT devices to establish stringent data protection measures, be transparent about their data practices, and ensure that individuals have the right to access and control their personal data.

Europe

EU Cybersecurity Act

The EU Cybersecurity Act, adopted in 2019, gives ENISA (the EU Agency for Network and Information Security) a permanent mandate for cybersecurity in the EU and establishes a European cybersecurity certification framework. The framework assesses the security of information and communications technology (ICT) products, services and processes across the EU. By standardizing cybersecurity measures, the Act solves the problem of fragmentation of cybersecurity standards across the EU.

For IoT devices, the EU Cybersecurity Act introduces a comprehensive certification framework that divides ICT products, including IoT, into three levels of assurance: basic, substantial and high. Each level specifies the rigor of the assessment required – from technical documentation review to advanced penetration testing – to ensure that IoT products meet EU-wide security standards. This harmonization reduces the regulatory compliance burden across EU markets, ensuring that IoT devices are secure by design and resistant to cyber threats throughout their lifecycle. The act requires management of current patches and no known security vulnerabilities in IoT technologies.

Cyber Resilience Act

The Cyber Resilience Act introduced by the European Commission in September 2022 is a regulatory proposal aimed at raising the cybersecurity standards of IoT devices and related services on the European market. The act sets ambitious goals to establish a single European cybersecurity governance framework, increase manufacturer responsibility for the security of devices from design to lifecycle, improve transparency of cybersecurity practices and ensure access to safe products for both consumers and businesses.

For IoT devices, the Cyber Resilience Act imposes stringent compliance measures on manufacturers, starting with the requirement that all devices with digital components must bear the EU conformity mark. This mark means that products meet the new, stringent cybersecurity standards set out by the Act.

Under the Cyber Resilience Act, manufacturers must ensure continued compliance even when products undergo significant updates or modifications. This includes an assessment to check whether changes, such as software updates or hardware repairs, impact the device’s compliance with established cybersecurity standards. Additionally, the act covers importers and distributors who are responsible for ensuring that only products that meet the requirements enter the European market.

Asia

China’s cybersecurity law

The Cybersecurity Law of the People’s Republic of China contains provisions aimed at protecting critical information infrastructure. This law enforces stringent measures to monitor and address cybersecurity threats, advocating for a safe, orderly and resilient digital space. Emphasizes the importance of honesty in online conduct.

When it comes to the Internet of Things (IoT), the Cybersecurity Act imposes stringent obligations on network operators and manufacturers to ensure the security and stability of their services and devices throughout their lifecycle. This includes the obligation to comply with national standards, implement strong data protection measures and facilitate rapid response to cybersecurity incidents. IoT device manufacturers and service providers must also comply with regulations that include regular security assessments and obtain mandatory certifications before entering the market.

Japan’s IoT security framework

In November 2020, Japan’s Ministry of Economy, Trade and Industry (METI) introduced the Internet of Things (IoT) security and security framework. The framework aims to improve security measures for both devices and broader systems integrating IoT technologies.

The IoT Security Framework introduced by METI establishes a multi-layered approach to IoT security, focusing on understanding and mitigating the risks associated with integrating IoT devices into larger networks. One important aspect of the framework is the emphasis on typological security and protection measures that are tailored to the specific types of threats emerging at the interface of cyberspace and physical space.

This methodological approach ensures that both new and existing IoT systems are equipped with appropriate security measures, which promotes more secure implementation of IoT technologies in various sectors in Japan. The framework serves as a guideline for developers and manufacturers to align their products and services with Japan’s national security standards.

IoT Security Certification (CIC)

On December 14, 2023, South Korea’s Ministry of Science and ICT (MSIT) together with the Korea Internet and Security Agency (KISA) signed a Memorandum of Understanding (MoU) with the Cyber Security Agency of Singapore (CSA) on Mutual Recognition of IoT Security Certification Systems . Under this agreement, IoT devices in key sectors such as home appliances, transportation, finance, smart cities, medicine, manufacturing and communications will require certification to agreed standards.

MSIT sets certification standards for IoT technologies in these areas, ensuring device security from design to implementation. In South Korea, KISA has been designated as the testing agency responsible for issuing IoT security certificates, while in Singapore, CSA oversees the Cybersecurity Labeling System (CLS), which serves a similar purpose. Both certification schemes aim to ensure that IoT products can effectively address security challenges, protect consumer data and enhance device integrity against potential cyber threats.

Australian IoT Code of Practice

The Australian Code of Practice: Securing the Internet of Things for Consumers, developed by the Department of Home Affairs, is a proactive measure to make IoT more secure across the country. Introduced as a voluntary set of measures, the Code of Practice aims to establish baseline safety standards for IoT devices to protect Australian consumers. Recognizing that security features in IoT devices are often overlooked or underdeveloped, the Code recognizes the need for robust cyber defenses against potential threats.

The Code of Conduct is intended for industry stakeholders and covers thirteen principles, with a strong recommendation to prioritize the three most important principles for immediate benefits. These policies include: eliminating default or weak passwords, vulnerability disclosure policies for IoT device manufacturers and service providers, and ensuring that IoT software is updated securely.

In Part 2 of this series, the challenge of securing the IoT will be explored with these regulations in mind.

Editor’s note: The opinions expressed in this guest author’s article are solely those of the author and do not necessarily reflect the opinions of Tripwire.