IoT New Regulations

The 2020 IoT (Internet of Things) security government report revealed that 49% of UK residents purchased at least one smart device since the start of the Covid-19 pandemic, while an average of nine smart devices are present in every UK household. As the IoT market continues to grow, it is important to set legislations that cover IoT cybersecurity and protect consumers from hackers. 

Privacy breaches, monetary fraud, and network resilience are amongst a few of the frequently-discussed topics when it comes to regulating IoT devices. In 2021, The European Commission introduced a new IoT regulation, expected to enter into effect mid-2024.

New IoT cybersecurity standards

New Product Security and Telecommunications Infrastructure (PSTI) bill focuses on all smart devices. These include phones, tablets, fitness trackers, TVs, light bulbs, thermostats, and many more. The products exempt from this legislation include vehicles, smart meters, and medical devices as they follow a separate regulation. Furthermore, desktop PCs and laptops are not included as they already have antivirus software installed at the point of purchase. 

Failure to comply with the regulations outlined below could result in heavy fines of up to £10m of 4% of the global turnover along with up to £20,000 a day for ongoing cases. 

These are the new standards every IoT device manufacturer will need to adhere to: 

* Ban universal default passwords

Many IoT devices come with weak, factory-set passwords that often remain unchanged by new device owners. This imposes a major cybersecurity threat as it makes the password easily guessable by hackers, who can gain access to the whole home network. As a result, this puts at risk private consumer devices, along with business laptops and other company devices a person might use while working from home.  

As the new IoT regulation comes into effect, manufacturers and users will be unable to set up easy to guess default passwords such as “12345” to ensure greater security. 

* Set a clearly outlined security updates period at the point of purchase

When consumers equip their homes with smart devices and appliances, they expect them to work without fail for years to come. However, the support for any security failures of such devices ranges from continuous to non-existent. If security problems aren’t promptly taken care of, the device poses a risk of exposing personal data and compromising its functionality. 

The PSTI bill states that each IoT device must present clear information on security updates available for the product at the point of purchase. The information must also state how long the device will be eligible to receive security updates. If the device has no updates, this must also be declared before the consumer purchases the product. 

* Manufacturers must employ a public point of contact who will be responsible for managing security-related product vulnerabilities

If a product is not compliant with set standards, manufacturers must ensure they have a public point of contact who will proactively respond to reports about flaws and bugs in products. 

Benefits of new measures

The new legislation is an important step to improve network resilience, protect consumers’ privacy, and reduce the risk of monetary fraud. 

Manufacturers will need to make sure they adhere to every standard before putting their product on the market. Consumers will be able to rely on connected products without having concern over safety and personal data theft. 

As cyber threats evolve fast, it is important to stay proactive and ensure each IoT device remains fully functional, with safety measures in place to prevent a potential attack. 

“This is a significant step in establishing a comprehensive set of common European Cybersecurity standards for the products (including connected objects) and services brought to our market,” said Thierry Breton, Commissioner for the Internal Market.

EU vs. US IoT regulations

International Data Corporation (IDC) estimates that by 2025, there will be 41.6 billion connected IoT devices. However, IoT regulations vary and the EU standards do not apply to the products purchased in the US. And while the European IoT standards are clearly set, the US is yet to follow the same lead. 

In December 2020, the US signed the IoT Cybersecurity Improvement Act which signalled a change in the IoT security sector. The bill states that the mandatory minimum security standards need to be updated at least once every five years. However, it only applies to IoT devices purchased with government money, there has been no clarity on whether this also applies to older, already-purchased IoT devices. 

California and Oregon’s IoT legislations

When it comes to IoT laws in different parts of the US, California and Oregon appear to be the only states that are closer to the UK and EU standards. 

The California IoT Act was introduced in 2020. It states that all IoT manufacturers should ensure reasonable security features that are appropriate to the function of the device. Oregon’s IoT law is fairly similar. Both acts also hold a ban on default passwords.

As of 2021, California and Oregon are the only two states with individual IoT regulations.

How to protect your network from IoT cyberattacks

While IoT regulations set a cybersecurity standard for all device manufacturers, it’s important to take extra precautions to protect your infrastructure’s network. 

To enable incident response and forensics in real-time, Telesoft developed highly scalable threat detection and visibility tools. These include: 

* FlowProbe – 400Gbps full network visibility and traffic monitoring

* CERNE – 100Gbps signature matching and “back-in-time buffer” 

* TDAC Platform – ultra-scale event orchestration, multi-layered threat detection and mitigation, Petabyte scale distributed storage

Find out more about how a managed threat hunting service can protect you from IoT cyberattacks by reading more about our TDAC threat solution and book a demo with our team today.