How can legislation help secure the IoT revolution?

The rapid advancements in technology, particularly in IoT, industrial automation, and smart homes, hold great potential for transforming various industries. However, security concerns arise from connecting everything without understanding the security implications. At Hardware Pioneers, John Boggie, Senior Director of Cybersecurity Certification at NXP Semiconductors discussed how legislation can ensure a safe future for the industry.

According to Transforma Insights, there are approximately 17.08 billion connected IoT devices, and this figure is expected to almost double to 29.42 billion by 2030. The fast-growing number of IoT devices has made cybersecurity a growing problem, and the security of these devices is now more of a concern.

Boggie explained the importance of interoperability of IoT products: “Matter is the business language for IoT products. It's a handshake and an agreement, so that if you bring your light bulb into your house and you connect, it connects to your Google nest, it connects to your Alexa, connects to whatever else. Interoperability standards is a key thing to make it connected and something usable.

“What does this all mean? It means simply this: if we take those interoperability standards, and we utilise that across all of those various sectors that I've talked about, then with all of these things talking together, I can have a seamless life. We have the technology now to make this happen, and it's just a matter of connecting this up, but it's happening rapidly.”

Though this interoperability can open up wider issues that need to be addressed: “The problem is, when we connect everything up, and we connect everything up and connect in the way we have at the moment by simply plugging things in, and not understanding what the security of these things are and what's actually in our product, we start to have problems, and hackers are exploiting us.

“Ransomware attacks are on the rise. Every 30 seconds is a ransomware attack. Simple things like software bugs are exploitable. Simple things like bad engineering are exploitable. Things like not changing your password becomes exploitable. We see it once things are connected up, you can have these various botnet attacks.”

The security of IoT devices is of utmost importance to ensure security throughout the network.

Though the problem currently is, if developing a product for a global launch, regulation and legislation differs across the world, so to make sure products comply with each and every regulation is a mammoth task, especially when the EU and US markets have different regulations to adhere to.

However, one way of overcoming this is creating legislation that can be used across the world.

In his presentation, Boggie discussed The Security Evaluation Standard for IoT Platforms (SESIP). This is a methodology that reduces the cost, complexity, and effort of security evaluation and certification.

SESIP utilises the concepts of composition and reuse, allowing previously certified components to be used to build a device with in-built security assurances. This approach avoids the need to repeat the same evaluations in every targeted market. The methodology maps to other standards and requirements from bodies including ETSI, ISO/IEC, and NIST, demonstrating a risk-based design approach and helping to lower barriers to entry.

Key concepts to ensure legislation doesn’t cause pains for the industry:

  • Legislators need to re-use or align legislation and standards across the board. The Cyber Resilience Act is currently a blanket legislation that needs to be met, but we need to make sure international standards are utilised
  • Compliance should come from international standards where possible. If wanting to ensure what is being built now is compliant, then what is already used is a must have. This is especially important for startups and SMEs
  • Legislators need to ensure not to make it difficult for the organisations that are doing the right thing by needing double regulations, and vulnerability disclosure must be done correctly
  • Most importantly, compliance regulations and standards must work together to ensure a safer future

Legislation plays a critical role in securing the IoT revolution by establishing clear standards and regulations that ensure device safety and user privacy. By requiring robust security measures, encouraging industry compliance, and fostering international cooperation, laws can mitigate risks and protect consumers. Effective legislation not only builds trust in IoT technologies but also paves the way for innovative advancements, driving the sustainable growth of the IoT ecosystem.