The Internet of Things (IoT) describes an idea true to its name. It refers to the connection between physical “things” equipped with software, sensors, etc. through which data is intercommunicated. These IoT products range from household gadgets like smartphones and tablets to medical and security devices, and all the way to extremely sophisticated machines such as those used in manufacturing and transmission.
While these devices come with evident advantages, their expansive nature also opens up opportunities for all kinds of cyber – and sometimes even physical – attacks. These concerns necessitate the security management of consumer IoT devices which, challenging as it is, has amassed quite a value. The global IoT device security market is forecasted to expand at an annual rate of almost 34% between 2018 and 2023. By 2026, it is expected to have grown to a value greater than $40 billion.
Granted that compliance with technical and legal regulations is mandatory. But whether this compliance translates into adequate cyber security is a whole different argument. And IoT products have had to face threats since their inception. But the risk, frequency, and extent of such threats continue to increase due to the increasing capability and connectivity that such devices provide.
What Are Cyber Security Frameworks?
As the name suggests, a Cyber Security Framework provides a framework or a system of guidelines, standards, and best practices to manage risks associated with cyber services and devices. Following such a framework is usually mandatory for organizations involved in any digital activity, which is virtually every organization on the planet. This not only allows them to comply with the minimum security standards as defined by international, industry, and state regulations, but also helps them in defining standard operating procedures to measure, monitor, and mitigate cybersecurity risk.
One of the best-known of such frameworks is the National Institute of Standards and Technology (NIST) Cybersecurity Framework. It provides easy-to-read, high-level, and accessible guidelines for organizations as part of their cybersecurity program. It also recognizes the fact that cybersecurity and cyber-risk mitigation measures are specific to each organization, which is why their guidelines are customizable. We will talk more about NIST and its cybersecurity recommendations in the next section.
Another well-known cybersecurity risk management framework is the set of standards laid out by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) – ISO/IEC 27005. These guidelines are more actionable and are directed towards managers to help them implement and manage information security risks. However, ISO/IEC 27005, too, leaves their guidelines open to interpretation as they do not specify any single risk management method to be followed.
IoT Cyber Regulation in the US
Three presidents meant three eras of cybersecurity developments. Let us examine how Presidents Obama, Trump, and Biden have contributed to improving and strengthening the cyber environment of the United States.
NIST Cybersecurity Framework
As mentioned before, the NIST Cybersecurity Framework is one of the most well-known of its kind. It was enacted by the issuance of an Executive Order – Improving Critical Infrastructure Cybersecurity – by President Obama in 2013. It was a collaborative effort of the U.S. government and the private sector which culminated into the three-component and five-element framework we know of. To clarify, the three components of the framework are the Core, Implementation Tiers, and Profiles which together govern the five elements: Identify, Protect, Detect, Respond, and Recover.
The five elements, or functions, of the NIST Cybersecurity Framework for the IoT are what make it so impressive and encompassing.
- Identify: recognize and classify the assets, processes, and devices that need protection
- Protect: execute appropriate security measures to protect the identified assets
- Detect: identify and expose the sources of the cyber security incidents
- Respond: contain, mitigate, and counter the impacts of the incidents
- Recover: restore system and asset capabilities to pre-incident levels
As the Trump administration was nearing its end, they rolled out the bipartisan IoT Cybersecurity Improvement Act of 2020 – “The Act”. They accomplished this with both a suspension of the rules in the House of Representatives and unanimous consent in the Senate. The Act, simply put, levies security requirements on federal agencies for their IoT devices. Several U.S. states such as California and Oregon have passed independent IoT security laws, but this act passed by the federal government is of a more overarching and compelling nature.
The Act addresses the supply chain risk to the federal government arising from vulnerable IoT devices. It requires NIST to ‘educate’ the federal government to help them manage the cybersecurity of their IoT devices. It also requires the Office of Management and Budget (OMB) to ensure that the NIST-published standards are being implemented by federal agencies. Finally, it requires NIST to update its standards every five years while OMB oversees the continuous implementation of said standards.
Cybersecurity Labeling for Consumer IoT Products & Services
NIST has continually been building upon its security framework, first by initiating the NIST Cybersecurity for IoT Program and most recently with the Biden Administration’s Executive Order. In efforts for Improving the Nation’s Cybersecurity, NIST was advised by the U.S. federal government to educate the public on security concerns associated with IoT devices and services.
Such labeling programs are defined with respect to minimum security standards and desirable features in digital solutions. But these recommendations are merely that; consumers, manufacturers, and service providers are at liberty to choose the best way forward for their specific needs. Despite the lenient nature of these recommendations, the IoT Cybersecurity Program is aimed at:
- Encouraging innovation in product manufacturing to enhance the software security landscape
- Serving as actionable steps rather than impractical concepts
- Emphasizing the importance of usability
- Building on both domestic and global precedents
- Fostering an air of diversity in approaches to devising solutions
- IoT Cyber Regulation in Europe
The European Commission (EC) – the executive body of the European Union (EU) – works to ensure stronger and more resilient security frameworks for digital networks and their associated IoT devices. The European Union Agency for Cybersecurity, ENISA, is tasked with achieving the continued high common level of cybersecurity across the EU. EC regularly rolls out Acts in order to strengthen ENISA, resulting in a symbiotic relationship between the two bodies.
The EC’s IoT Cybersecurity Cluster
In December 2020, EC presented the EU’s Cybersecurity Strategy in the Digital Decade. This strategy aims for a resultant Internet of Secure Things to allow consumers to be safe in their digital lives. This strategy outline eight projects forming a security cluster for IoT security which altogether amount to about €40 million (around €5 million each) in EU funding. This cluster has already proved to be immensely consequential, especially in the sectors it is targeted at.
SecureIoT is one of the projects from the cluster. It provides predictive security services for IoT applications to secure data collection, improve risk management, and account for security regulations and directives. Another such project is SEMIoTICS which builds on the existing IoT platforms and enables semi-autonomy in industrial IoT applications. Yet another such project is CHARIoT which brings a cognitive aspect to the cybersecurity management of IoT systems.
In late 2020, the European Union Agency for Cybersecurity, ENISA, conducted a study to define Guidelines for Securing the Internet of Things at the IoT supply chain level. They went with a big-picture approach and addressed security challenges arising from the design stage all the way down to the disposal of such devices. They believe that the assessment and monitoring of security cannot be restricted to just the product itself but rather spreads out over all the relevant processes involved. ENISA is also known to have always advocated for security by design of consumer products and integrating by-default security features.
This most recent study to address cybersecurity challenges related to the IoT supply chain provides a number of key guidelines:
- Forging better interrelationships between stakeholders at every stage
- Cultivating cybersecurity education and expertise
- Adopting security by design principles
- Implementing an encompassing and focused approach to cybersecurity
- Building upon existing standards and industry best practice
Granted that the advent of the IoT has made lives and businesses easier and more interconnected. But this new era of digitization brought with it new possibilities of cybersecurity incidents as well. Accordingly, nations and industries have collaborated to establish some “ground rules” to ensure data security and integrity. Many of the provisions and guidelines laid out by American and European cybersecurity regulatory bodies are similar. They mainly focus on innovating, leveraging existing standards, developing expertise, and integrating security into every step of the IoT supply chain.
As Aptimize works with data mapping, exchange, audit, and integration, it does so responsibly by keeping the industry regulations in mind.