close
close

IoT Cybersecurity Regulations and Standards | Pipeline Magazine

Posted on by darion

By: Thorsten Stremlau

Around the world, Internet of Things (IoT) devices continue to be the backbone of operations in most key industries. The benefits these devices bring to businesses are invaluable, as their continued popularity reflects. By 2027, more than 29 billion connected devices are expected to be online, a significant increase from the 17.08 billion in use today.

However, 56 percent of companies currently lack the awareness and expertise to adequately prepare for IoT-targeted cyberattacks. This should be a major cause for concern, not least because such attacks are expected to increase by around 400 percent between 2022 and 2023. If companies lack the skills to protect themselves from attacks, then the responsibility for providing the necessary level of cybersecurity protection falls on device manufacturers.

Fortunately, action has been taken around the world to ensure that manufacturers take their responsibilities seriously. Governments and regulators have introduced a number of key pieces of legislation and regulations to increase the security of IoT devices in their markets.

In March 2024, the U.S. Federal Communications Commission (FCC) introduced a voluntary labeling program for wireless IoT products. This includes the US Cyber ​​​​Trust Mark, which will be visible on consumer wireless technologies that meet the FCC’s rigorous standards. Approved products will also display a QR code that leads to detailed security information, such as whether software patches are automatic.

Devices that meet the Cyber ​​​​Trust mark criteria include home security cameras, voice-controlled shopping devices, internet-connected appliances, fitness trackers and garage door openers.

You only need to look at the news to see why. In 2023, Ring was accused of failing to implement necessary security measures in a $5.6 million lawsuit by the Federal Trade Commission. As a result, hackers were able to take control of customer accounts, affecting over 117,000 consumers. Before this incident, over 60 million records were exposed through an unsecured fitness tracking database. The FCC aims to thwart such incidents with the Cyber ​​​​Trust Mark.

For IoT devices used in healthcare, there is another important piece of legislation: the Protection and Transformation of Cyber ​​Healthcare Act (PATCH).

Healthcare facilities remain a prime target for attacks, with two unfortunate records in 2023: the most data breaches AND the most breached records. The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) recorded 725 reported data breaches and 133 million exposed records reported to them that year, while 79.7 percent of all data breaches in that sector resulted directly from hacking attempts.

To better protect sensitive patient data, the U.S. Congress passed the PATCH Act in March 2023. The act, which aims to provide a better framework for cybersecurity measures, authorizes the U.S. Food and Drug Administration (FDA) to take more aggressive action against manufacturers that are not proactive in terms of cybersecurity.

Manufacturers developing new IoT solutions for the healthcare sector must now submit details of their processes to the FDA so that any vulnerabilities can be identified and mitigated before they go to market. They must also disclose a Software Bill of Materials (SBOM), which details all the components in a device, whether it’s commercial, open source, or anything in between.

SBOMs remain an overlooked piece of security. By checking catalogs of known exploits, companies can see if any components in their own devices are vulnerable. Yet fewer than 20 percent of organizations mandated them as part of their engineering practices in 2022. By making SBOMs a mandatory part of the PATCH Act, Congress is essentially dictating that companies now need to familiarize themselves with these inventories and give them more responsibility for protecting end users.

Recent attacks have also highlighted the need for greater security for IoT devices sold across Europe, with attacks targeting everything from electric vehicle charging ports and communications equipment on trains to smart TVs and other consumer devices.

Due to the increasing number and complexity of hacking attempts, the European Commission (EC) introduced the “2014/53/EU” to establish a regulatory framework for radio equipment. The “Radio Equipment Directive” (RED) sets out basic requirements for device manufacturers to meet in order to sell their products in the European Union (EU). Despite the short postponement, the RED is expected to become mandatory for any type of device that transmits or receives radio signals. For example, 4G/LTE/5G and Wi-Fi enabled devices, as well as radio, television,