The threat of cybercrime has never been higher. The Identity Theft Resource Center reports that 2023 saw over 3,000 compromised systems affecting over 350 million victims – a 72% increase over the previous mid-pandemic high of 2021 . IoT devices represent a tempting target for cyber criminals: they are network – and internet – connected, standardised, and many are left neglected. The IoT appears to be an ideal vector for entry into a network if its devices are not properly secured.
Not coincidentally, regulations surrounding IoT cybersecurity have never been more stringent. The initial phase of the United Kingdom’s PSTI Act (Product Security and Telecommunications Act) is now in effect, entering UK law as of the 29th April 2024 following a one year grace period. Its ratification means that compliance with the top three items of the UK’s Code of Practice for Consumer IoT Security – a set of 13 guidelines which every IoT device should follow – is now enshrined in law.
PSTI and ETSI: A baseline standard for security
These three requirements reflect the same rules set out in the European Telecommunications Standards Institute (ETSI) standard EN 303 645, first published in mid-2020 and followed by EU member states: devices must not use default passwords, they must be supported by a vulnerability disclosure policy, and the included support and update period must be disclosed at the point of sale.
If a device does not meet the standards of the PSTI Act, the UK government may issue large fines, force a product recall, prevent the manufacture of further devices, and even hold company directors liable for a criminal act.
PSTI and ETSI regulations represent, frankly, the bare minimum that any business could do to fight the threat of cybercrime. They outline a specific security baseline. This is not to argue that they are invalid – on the contrary, many manufacturers will benefit greatly from the guidance of their principles or the threat of fines, and such regulations are an essential feature of the security landscape. The point is that when businesses reach these standards, as they must, it is important that they then strive to go beyond them. It is not enough to conform. The ever-increasing pace of cybercrime dictates that cybersecurity stay ahead of it.
New opportunities to excel
Reaching compliance with regulations is a great opportunity for manufacturers to then push their technology beyond the line ready for the next part of the PSTI Act, or simply to demonstrate a superior commitment to security. It may be a chance to emphasise the value of a zero-trust approach to networking, for example. Criminals should not be given the opportunity to force their way into a network.
Allowing one’s devices to work with a zero-trust approach, which assumes that any entity inside or outside the network could act as an attack vector, helps those building IoT devices to create a culture of constant identification, verification, and inherent security within the networks of their clients. Security should be the default, and the easier it is for customers to achieve that, the better.
IoT manufacturers must also be aware that the sharpest source of cybersecurity knowledge often comes from hackers themselves. Analysis of an attack may reveal critical information about weaknesses in one’s software, firmware, or hardware, but pushing a product out and waiting for the worst to happen is not a valid way to test its resilience. Bug bounties present an opportunity for hackers to put on the white hat, as the saying goes. Offering a reward for the discovery of security issues, loopholes, or other critical issues presents a great incentive and allows such problems to be found in a safe sandbox rather than in the wild.
Supporting products throughout the lifecycle
Critically, manufacturers must also be ready to support their devices from beginning to end. An element of the IoT which is secure today may very well fall victim to the attack of tomorrow, or fail to meet the requirements of revised standards as they are introduced. To properly support their customers, manufacturers need to focus on the entire product lifecycle.
This means providing straightforward onboarding which puts security first, firmware upgrade paths which are as convenient and seamless for IT departments as possible, a seamless management interface which ensures devices are not forgotten, and a path to decommissioning which ends a product’s life without risk of data leaks. Make it easy for end users to meet security standards, and they will; throw too many spanners in the works, and they may skip critical steps – or, worse, throw in the towel and migrate to a different manufacturer.
Better certification to prove commitment
Demonstrating alignment with cybersecurity regulations is not necessarily difficult, as the PSTI Act essentially allows for self-certification through the publication of a statement of compliance. This potentially does not go quite far enough. Manufacturers would not falsely claim compliance, of course, but they could, and it may take some time for a regulator to notice if they were to. A far stronger statement of one’s guarantee of security is to seek certification from a true third party. Regular periodic verification from an external entity offers strong validation to customer and regulator alike – the certifier puts their reputation at stake if their process is not fully above board.
Ultimately, though, as important as meeting standards is, nobody in the IoT industry can afford to focus solely on ticking certification boxes. For manufacturers, those will be the same boxes every other manufacturer has (in theory) ticked. They are important, but a certificate does not provide the kind of customer value that makes a product stand out, nor does it represent technological innovation. That is found in one’s products. Demonstrating the strength and agility to go far beyond regulatory standards is the true marker of the industry’s progress towards a smarter, safer world.
Author Bio: Steven Kenny has spent 18 years in the security sector in roles that have seen him take responsibility for key elements of mission critical, high-profile projects across a number of different vertical markets. For the past eight years he has focused his attentions on how security technologies can best support business security strategies, whilst driving the adoption and elevating the importance of cybersecurity and compliance for physical security practitioners. Steven’s current role sees him lead a team of Architect and Engineering managers across the EMEA region whilst supporting various industry associations and standards organisations. He currently sits on the EMEA Advisor Council as the emerging technology lead for TiNYg (Global Terrorism Information Network), and on various standards committees to support IoT security, as well as the BSI Private Security Management and Services.