Internet of Things: Security Regulations are Getting Tougher
Whether you’re manufacturing and marketing connected products or selling Internet-of-Things services and solutions, your most significant competitive advantage may be ironclad security.
While entrepreneurs and chief executives in large enterprises often cringe at the idea of more regulation, when it comes to the internet of things (IoT) and industrial IoT (IIoT), forward-thinking developers and service providers should embrace new laws designed to protect personal privacy and protect against cyberattacks.
Security can no longer be an afterthought. With the right product strategy and tech ecosystem partners, going to market with the most secure device, application, cloud, system and connectivity in sync can accelerate success.
Without thinking ahead, and without paying attention to potential threats, even the most powerful connected device with the most significant benefits can become a nightmare when an adversary attacks. This results in severe reputational and financial consequences, including massive fines.
The IoT and IIoT embed real-time communications technology into physical products and are becoming increasingly sophisticated. For example, the latest generation of implanted pacemakers and insulin pumps can send information over the Internet and enable doctors or automated systems to send commands back.
The consequences associated with the internet of medical things (IoMT) are now life and death. The same is true regarding the potential for connected cars and driverless, autonomous vehicles to be hacked and controlled to cause mayhem and mass casualties on the superhighways of the future.
The more connected and interconnected these systems become, the larger the expanding attack surface – and the more serious the consequences when bad actors hack their way into a system and take control.
While the U.S. federal government has been less willing to regulate IoT as aggressively as others, the state of California has led the way in regulating IoT devices sold in the state. No device manufacturer can afford to walk away from the market in California, whose economy is more substantial than many countries and whose technology economy is undeniably one of the strongest in the world.
The legislation requires that security features must be able to protect the device, and the information on it, from a variety of threats and be appropriate to both the nature of the device and the data it collects.
While developers of devices are still waiting to learn more about the specifics of the legislation, some companies are lobbying already, saying that what the current law calls “reasonable security” is unenforceable and, by extension, compliance is impossible to monitor and manage.
The most prominent part of the regulation, at a high level, is that default passwords will be illegal (as they should be). However, passwords are not the only vulnerability in connected devices today.
The FCC has not been entirely silent on the issue of device security and continues to issue warnings. As a result of the vulnerabilities with insecure wireless devices, the FCC has advocated for cyber accountability.
In parallel, the FCC continues to more forcefully monitor and regulate internet security at the network layer, which is having a positive impact on innovation, including the virtualization of networks that can now be controlled to a greater extent using software-defined networking (SDN).
IoT equipment suppliers are being asked to implement “security by design”. The FCC states the definition as “A development practice that reduces cyber risk by using a disciplined process of continuous testing, authentication safeguards and adherence to best development practices.”
Ultimately, regulatory oversight is needed because the “large and diverse number of IoT vendors … hinders coordinated efforts to build security by design into the IoT on a voluntary basis.”
Near the end of 2018, the National Institute of Standards and Technology (NIST), which is part of the U.S. Department of Commerce, came out with a collaborative project to develop a “voluntary” privacy framework for the IoT that reflected a similar Cybersecurity Framework for managing risk. The initiative makes sense, given how interdependent the IoT is and how critical it is to secure the IoT and IIoT at all levels (not just devices, but applications, clouds and databases).
All this comes together on the largest and most resilient network in the world, the internet, which is why we believe security embedded into private networks spun up on the public internet makes the most sense for companies rolling out connected products and services.
We applaud federal agencies in the United States and projects around the world doing mission-critical work that benefits and protects billions. Moreover, California’s bold legislation is beneficial to all. When California mandates security standards on IoT devices, manufacturers will rewrite their software to comply and will find it most sensible to maintain a single, secure version and sell it everywhere.
Today, the IoT truly is the new Wild, Wild West of the tech community, with manufacturers rushing products to market with competitive prices, often skipping that crucial security step, seeing security, not as a product feature but a cost that is invisible to buyers.
As the government steps in and imposes more stringent regulations, companies have an incentive to meet those standards, which is already driving security innovation. These innovations include affordable, scalable software and firmware that can be embedded in mass-produced devices and registered to secure networks. Examples include mission-critical connected products like health care devices, autonomous vehicles, power grids, public safety and surveillance systems, and other implementations.
The network itself can interact more securely with connected devices when the network includes software that treats every session, transaction, and command with encryption, intelligence and ironclad approaches that reduce risk by foiling attacks to protect data at rest and data in motion.