The past decade has seen many efforts by various governing bodies to define and regulate what cybersecurity means in today’s market. In this article, I will outline the current state of cybersecurity law and standards, as it pertains to the IoT industry. While many individual regulations are specific to particular geographies or industry sectors, the global nature of the modern tech market necessitates an understanding of the full range of potential applicable laws and standards.
In many jurisdictions, lacking specific instructions for IoT, cybersecurity rules fall under the general requirements set by overarching laws and standards applicable to all electronic data-holding devices.
Law and order – by geography
1. United States
Though there have been repeated attempts by the US government to pass a comprehensive IoT security measure, as of July 2019, none have yet been passed. The current contender is the Internet of Things Cybersecurity Improvement Act, introduced as S.734 on March 11th, 2019. If passed, it would require the National Institute of Standards and Technology (NIST) to create regulations concerning IoT security that would be mandatory for all IoT devices used by any government agency. The bill would also require IoT device manufacturers to adopt coordinated disclosure policies. While the bill would not make these regulations mandatory for all IoT devices, any manufacturer not adopting said guidelines would be restricted from the valuable markets offered by the many branches of the federal government.
The state of California has taken additional steps into the future of cybersecurity that, according to recent rulings, affects any company whose internet data passes through California. Thus, if a technology provider expects even a single customer to utilize their technology in California, they should stay up-to-date with two state laws.
The first, California Assembly Bill 1950, requires businesses and their partners to maintain a reasonable level of cybersecurity. While this bill, passed in 2004, doesn’t include specific language towards IoT devices, it could arguably include IoT security as a part of reasonable security practices. Since these businesses are liable for the security of the devices they use, they’re more likely to consider security an important feature of any IoT device they might purchase.
The second, SB-327, which will go into effect on January 1st, 2020, specifically targets the IoT market. Any manufacturer of any device that connects, directly or indirectly, to the internet must equip it with “reasonable” security features to prevent unauthorized access, modification, or data exposure. In addition, if the device features a password, it must either be unique to that device or force the user to set their own password during initial setup, thus preventing cyberattacks through guessing default passwords.
This second law is the first in the US to directly target not only IoT devices but also one of the most common methods by which hackers attack IoT devices. It places liability and responsibility directly on the IoT vendors, no matter where the device was purchased or manufactured, so long as the device is connected to the internet in California. This makes SB-327 relevant to all IoT manufacturers in the North American market. Using a “reasonable” security features is no longer an option. If anything goes wrong with the device, it might get to court and manufacturers will bear the burden of proof. Therefore, it is highly advisable for manufacturers to take the extra mile and look out for new and advanced cybersecurity solutions.
3. European Union
The European Union has implemented a number of resources and regulations concerning internet data privacy over all sectors.
Most issues of data security fall under the General Data Protection Regulation (GDPR). There are two major facets of the GDPR. First, any company holding data in regards to an EU citizen must offer the individual the right to back out of sharing that data just as easily as they were granted consent to acquire it. Essentially, citizens must be able to “opt out” as easily as they “opt in.” Second, that consent, even when granted, must be flexible. Citizens can restrict how their data is processed, can give content for data storage but not consent to their data being processed at all, and must give consent for data to be transferred or shared to a third party or outside the EU.
In addition, DSPs and OESs must adhere to The Directive on Security of Network and Information Systems (NIS Directive) which outlines specific regulations for service providers.
This year (2019) will see the ePrivacy Regulation come into effect, which will override any previous directives and the applicable portions of the GDPR. This regulation will apply to any business that provides any form of online communication service, uses online tracking technologies, or engages in electronic digital marketing. It sets more specific restrictions on any communications that qualify as personal data, such as consent laws for website cookies. For IoT manufacturers, these privacy regulations mean heavier expectations of security on devices that collect and transmit private data, and legal ramifications if hackers access that data.
Support for compliance with EU laws is available from the European Union Agency for Network and Information Security (ENISA).
4. United Kingdom
Like the US, the UK has often deliberated but not yet passed IoT specific security laws. As of today (September 2019) the UK is considering a law that would require IoT devices to be sold with labels indicating the security measures or vulnerabilities of that device.
The UK has also established a National Centre of Excellence for IoT Systems Cybersecurity, dubbed PETRAS (Privacy, Ethics, Trust, Reliability, Acceptability, and Security). The PETRAS IoT hub distributes research grants concerning critical issues in the IoT industry, and their findings will likely set the course of IoT regulation in the future.
Law and order – by industry sector
Despite the lack of an overall IoT security law, some industry sectors and their associated markets are restricted by laws specific to those sectors. Any vendor who cannot meet these restrictions is effectively locked out of these highly profitable markets.
For federal government offices, contractors, and subcontractors, a market of billions of dollars, all internet-connected devices fall under general requirements for internet security. These were established broadly by the Homeland Security Act but strengthened and specified in the Federal Information Security Management Act (FISMA) and the National Cybersecurity Protection Advancement Act.
The healthcare technology industry has its own requirements, as laid out in the Health Insurance Portability and Accountability Act (HIPAA) and the Federal Exchange Data Breach Notification Act. The former defines national standards for the privacy and protection of healthcare information, while the latter enforces strict rules on notifying individuals when their health insurance information has been compromised. This means that devices which may have access to that information, including the fast-growing sector of home medical devices with smart features, not only need to protect their data but also need to be able to report if their security is breached.
Financial corporations, and by extension, those technology providers who cater to them, should be familiar with the regulations laid out by the Gramm-Leach-Bliley Act (GLBA), also known as the Financial Modernization Act. GLBA compliance requires financial institutions to be transparent in how they share and protect their customers’ personal data. States have passed additional regulations, such as New York’s Cybersecurity Regulation, which places specific requirements on all financial institutions and mandates regular assessments and proactive risk mitigation.
Setting the standards
1. ISO Standards
The International Organization for Standards has released five sets of standards in order to cover all aspects of cybersecurity. These documents are broad in scope and meant to encompass security in cyberspace as a whole, with IoT as an implicit part of these standards.
ISO/IEC 27001 is the international Standard for best-practice information security management systems (ISMSs). It is a rigorous and comprehensive specification for protecting and preserving information under the principles of confidentiality, integrity, and availability. It offers a set of best-practice controls that can be applied to an organization based on expected risks, and implemented in a structured manner in order to achieve externally assessed and certified compliance. Fulfilling this standard satisfies the majority of the requirements of the other standards and guidance relating to cybersecurity.
ISO/IEC 27032 is the international standard focusing explicitly on cybersecurity. While the controls recommended are not as precise or prescriptive as those supplied in ISO/IEC 27001, this standard recognizes the vectors that cyber attacks rely upon, including those that originate outside cyberspace. Further, it includes guidelines for protecting information beyond the borders of an organization, such as in partnerships, collaborations, or other information-sharing arrangements with clients and suppliers.
ISO/IEC 27035 is the international standard for incident management. Incident management forms the crucial first stage of cyber resilience. While cybersecurity management systems are designed to protect and defend, it is essential to be prepared to respond quickly and effectively when something does go wrong. This Standard also includes guidance for updating policies and processes to strengthen existing controls following analysis of the event, and minimizing the risk of recurrence. As more standards and regulations incorporate incident management regimes, this standard becomes increasingly important.
ISO/IEC 27031 is the international standard for ICT readiness for business continuity. The next logical step from incident management, this standard is what prevents an uncontrolled incident from transforming into a threat to ICT continuity. It bridges the gap between the incident itself and general business continuity, and forms a key link in the chain of cyber resilience.
ISO/IEC 22301 is the international standard for business continuity management systems (BCMSs), and forms the final part of cyber resilience. This standard not only focuses on recovery but also on maintaining access to, and security of, information after an incident, which is crucial when attempting to return to full and secure functionality. This closes the final stage in the profile of an overwhelming cyber attack.
2. US standards
The NIST Cybersecurity Framework (CSF) is a voluntary framework primarily intended for critical infrastructure organizations to manage and mitigate cybersecurity risk based on existing standards, guidelines, and practices. However, the CSF has proven to be flexible enough to also be implemented by non-US and non-critical infrastructure organizations. The CSF is a living document, recognizing that continual improvement is necessary to adapt to changing industry needs. As such, version 1.1 was released in April 2018.
The NIST has also released several Special Publications (SPs) covering additional recommendations and requirements for information security. NIST SP 800-53 details which controls the NIST recommends for all US federal information systems outside of national security. NIST SP 800-171 details requirements to protect controlled unclassified Information, which is information that necessitates protecting or dispersing controls consistent with laws, regulations, and policies.
Another document to consider from the NIST is the extremely recent NISTIR 8228, “Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks.” While not a formal set of regulations, this document outlines the security and privacy risks of IoT devices for organizations that utilize them. It’s intended to precede a new series of IoT-focused in-depth publications. For vendors, NISTIR 8228 and its future follow-ups may change how organizations approach IoT purchasing and implementation, which makes it essential reading.
The independent third-party assessment firm UL developed its own guidelines for cybersecurity standards for IoT devices, marked UL 2900-2-1. These guidelines were adopted by the FDA in 2018 for all medical devices, endorsing the standard and increasing its popularity. While it remains less widely accepted than the ISO or NIST standards, it may yet rise to prominence.
The United States Department of Defense has just recently announced a new set of cybersecurity standards and certifications for all contractors that will be released before the end of the year. The Cybersecurity Maturity Model Certification (CMMC) is based in part on NIST Standards and will update the current standards set by the Defense Federal Acquisition Regulation Supplement (DFARS). It’s expected to allow a low-level certification achievable by small businesses as well as higher-level regulations for larger manufacturers. Given that the Department of Defense spends over $700 billion annually and works with over 50,000 contractors, their guidelines are relevant to a large portion of the US market.
Last but certainly not least, as the healthcare market expands and grows increasingly reliant on technology, the Health Insurance Portability & Accountability Act (HIPAA) remains essential for many IoT vendors. HIPAA established a national standard for the security of electronic health information, including the protection of individually identifiable health information, the rights granted to individuals, breach notification requirements, and the role of the OCR (Office of Civil Rights).
Judged only by the current legal requirements, the minimum state of necessary cybersecurity for manufacturers and vendors is fairly easy to achieve. However, assuming that reaching this minimum is sufficient would be a mistake.
As seen in California and the UK, regulating bodies are beginning to implement serious regulations not only for cybersecurity in general but for IoT devices specifically. Groups that set the bar for general cybersecurity attitudes, such as the US Department of Defense, are catching up to the standards set by the ISO. Formal rulings from the US government are likely to solidify in the near future, and evolving EU laws are gaining broader reach and impact.
It’s recommended that IoT device manufacturers and vendors consider not only the legal requirements for all potential markets but also adhere to the appropriate standards recommended for their target sectors, to be prepared for when new laws catch up to those recommendations.