Building trust in the IoT
Because technology for the Internet of Things (IoT) is relatively new, it is being deployed at massive scale. The risks of trust being misplaced are extremely high while building trust in the IoT devices and ecosystems is challenging. A combination of hardware and software innovations, checklists, standards, certification schemes and legislation are now being applied to help build that trust. If they don’t work, the industry’s growth will be constrained.
Progress on building trust in IoT security through standards
One barrier to implementing IoT security to date has been the fragmentation of standards and regulations. This is now being addressed. For example, ETSI, an EU standards body, released the EN 303 645 IoT cybersecurity standard in June 2020 to establish a security baseline for consumer IoT devices and provide a basis for certification schemes. The standard has 13 provisions for device security and five provisions for data protection, as shown in the graphic.
As you can see, some of the standard’s provisions are basic: don’t ship product with default passwords, make sure there’s a way to report issues, keep software updated, secure personal data and make it easy to delete, etc.
America’s National Institute of Standards and Technology (NIST) is also working on IoT cybersecurity, focusing on the security and privacy needs of federal information systems. It recently published four documents on the topic.
SP 800-213 offers recommendations to help federal agencies integrate IoT devices into federal information systems. NISTIR 8259A defines baseline requirements for device cybersecurity, while NISTIR 8259B details non-technical support requirements such as documentation, training and customer feedback.
NISTIR 8259C describes a way to apply these baselines in an organisation to develop a cybersecurity profile for specific IoT device customers or applications. And NISTIR 8259D details the results of applying the NISTIR 8259C process within federal government.
A standard becomes valuable when it is put to work. Finland and Singapore each developed a labeling system for IoT devices that meets certification criteria defined in EN 303 645. Test and accreditation houses are offering testing and certification to the standard, and the Global Certification Forum, which promotes the testing of mobile and IoT products for network operators, is also offering accreditation.
ETSI’s work is backed by two organizations trying to ensure the security of consumer IoT devices.
The PSA Certified organization promotes a security framework and IoT assurance scheme designed to give device vendors better insights into their security coverage. PSA Certified promotes 10 security goals to guide IoT device design and inform the certification program, as shown in the graphic below.
IoT security is particularly challenging because devices are widely distributed into arbitrary locations, making it easier to hack them. PSA Certified suggests the use of a hardware Root of Trust (RoT), an immutable, uncopiable element in an IoT device’s silicon, to give an IoT device a unique identity. This unique identity can then underpin key security functions, such as trusted boot, cryptography, secure storage and attestation schemes.
Separately, the Internet of secure things (ioXt) Alliance is trying to build confidence in IoT products through standardised security and privacy requirements, product compliance programs and public transparency. It, too, is backing the use of hardware RoTs.
Progress on building trust in IoT security through legislation
Laws are also emerging to strengthen IoT security. IoT devices and ecosystems are already subject to significant data privacy and product liability regulation in many jurisdictions. Some of these have teeth, threatening fines, personal liability and even imprisonment for those responsible for security breaches, as well as the possibility of cease-and-desist orders, erasure of data, and product recalls. The European Union’s General Data Protection Regulation (GDPR), for example, specifies a maximum fine for breaches of up to €20 million, or 4% of global turnover, whichever is greater. Those who violate America’s Federal Trade Commission Act could face fines of $41,484 per violation, per day. And in Australia, the Privacy Act 1988 and the Notifiable Data Breaches Act 2017 require that organizations that suffer a data breach tell all the affected users about it. IoT-specific legislation is also being introduced. In March 2019, the European Union adopted the Cybersecurity Act, which gives its Agency for Cybersecurity a permanent mandate and establishes an EU framework for cybersecurity certification.
California enacted a law in January 2020 to protect the privacy of personal information shared through connected devices. The bill requires that IoT device makers protect any information they collect and ensure that each has a unique password.
South Korea’s Personal Information Protection Act (PIPA) says that companies must take physical, technical and administrative measures to prevent personal information from being lost, stolen, leaked or tampered with. In February 2020, the Korea Internet and Security Agency published guidelines that applied the requirements of PIPA to the development of IoT ecosystems, particularly those that handle personal information.
In 2020, the U.S. enacted the Internet of Things Cybersecurity Improvement Act, which mandates the publication of guidelines on the use of IoT devices, a review of information-security policies, and the development of security vulnerability reporting guidelines. It also says that federal agencies can’t buy or use IoT devices if they don’t comply with the new standards and guidelines. In May 2021, President Joe Biden signed an executive order calling for better information sharing between the government and private sector on security breaches, updated cybersecurity standards in the federal government, better software supply-chain security, the establishment of a cybersecurity review board and a standard approach to cyber incidents, and better detection of cybersecurity incidents on federal networks.
The U.K. announced in April 2021 that it will legislate for IoT security. Under the planned legislation, customers must be informed at the point of sale for how long a smart device will receive software updates. Manufacturers will be banned from shipping products with default passwords and will have to provide a public point of contact to make it easy to report a vulnerability. An enforcement body will investigate allegations of non-compliance.
Recent cyberattacks have shown that cybersecurity is fundamental to the way we live now. Governments, international standards bodies, industry groups and regulators are now taking steps to make IoT implementations more trustworthy. What is missing from legislation so far is a mandate that calls for each IoT device to have a unique and unalterable identity. Until we have that, IoT security will remain a patchwork rather than whole cloth.
For more details about the development of IoT security standards, accreditation schemes and IoT regulations, download the Crypto Quantique white paper.
Avnet stocks several families of secure microcontrollers that can provide a Root-of-Trust to underpin IoT device security, as described by PSA Certified. These are available from Maxim Integrated, Microchip, NXP, STMicroeletronics and Renesas. Do a product search for “secure microcontrollers” for more details.