The Internet of Things (IoT) refers to the global network of physical devices connected to the internet, capable of collecting and sharing data. IoT devices range from everyday household items to sophisticated industrial tools. By integrating sensors and communication hardware, IoT bridges the gap between the physical and digital worlds, enabling environments where smart devices operate interconnectedly and autonomously.
IoT's growth is driven by the increasing availability of affordable computing power and connectivity, advances in data analytics and artificial intelligence, and the cost efficiency of data storage. As a result, IoT has spread across smart home products, health monitoring, intelligent transportation, and optimized manufacturing processes.
In this two-part series, the existing IoT regulations from various countries will be examined. In part 2, methods for achieving security compliance will be explored with these regulations in mind.
Current IoT Security Regulations
IoT security guidelines, cybersecurity frameworks, and legal requirements are designed to protect IoT systems and their users from cybersecurity threats. These regulations aim to ensure that IoT devices, networks, and data handling practices are secure from unauthorized access, manipulation, or attacks. Some countries have regulations or government guidance specifically aimed at IoT devices, while others have general cybersecurity laws that also affect IoT devices.
Various regulations address risks associated with device security, data privacy, and network integrity. As IoT technology permeates various sectors, consistent regulatory practices are essential to prevent large-scale vulnerabilities.
All of the regulations share common themes, including mandating minimum security measures, promoting best practices in design and development, and requiring regular updates and patches. They also stipulate compliance checks and penalties for lapses, creating a structured environment to foster safer IoT implementations.
Major IoT Security Regulations by Regions
North America
U.S. IoT Cybersecurity Improvement Act of 2020
The IoT Cybersecurity Improvement Act of 2020 is the first law to specifically address the security of IoT devices. Under this legislation, an IoT device is defined as one that possesses at least one sensor or actuator for interacting with the physical environment, at least one network interface, and the capability to operate autonomously rather than as part of a larger system. Notably, the law does not apply to devices such as smartphones and laptops.
A critical component of this legislative effort is the guidance developed by NIST, particularly the NIST SP 800-213 Series. This series includes the IoT Device Cybersecurity Guidance for the Federal Government and the IoT Device Cybersecurity Requirements Catalog. The latter offers a detailed framework that aligns with broader cybersecurity standards, such as SP 800-53 and the Cybersecurity Framework. These guidelines were refined through extensive public feedback and collaboration, highlighting a commitment to evolving IoT security standards that are practical and adaptable across various federal applications.
Importantly, the Act prohibits federal agencies from procuring or utilizing IoT devices deemed non-compliant with NIST's standards.
Canada Personal Information Protection and Electronic Documents Act
The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada's cornerstone legislation governing how private-sector organizations manage personal information in commercial activities. PIPEDA covers a broad spectrum, applying not only to businesses engaged in commercial transactions but also to the personal data of employees in federally regulated industries. It broadly defines "personal information" and mandates the handling of this information in a manner that respects individual privacy.
In the context of the Internet of Things (IoT), PIPEDA imposes specific requirements ensuring that organizations adhere to principles of accountability and consent and limiting the use, disclosure, and retention of personal information collected through IoT devices. These regulations require IoT device manufacturers and operators to establish stringent data protection measures, maintain transparency about their data practices, and allow individuals the right to access and control their personal information.
Europe
EU Cybersecurity Act
The EU Cybersecurity Act, enacted in 2019, provides ENISA (the EU Agency for Network and Information Security) with a permanent mandate over cybersecurity in the EU and establishes a European cybersecurity certification framework. This framework is used to evaluate the security of Information and Communications Technology (ICT) products, services, and processes throughout the EU. By standardizing cybersecurity measures, the Act addresses the fragmentation of cybersecurity standards across the EU.
For IoT devices, the EU Cybersecurity Act introduces a comprehensive certification framework that categorizes ICT products, including IoT, into three levels of assurance: basic, substantial, and high. Each level dictates the rigor of evaluation required—ranging from technical documentation review to advanced penetration testing—to ensure that IoT products meet EU-wide security standards. This harmonization reduces the compliance burden across different EU markets, ensuring that IoT devices are secure by design and resilient to cyber threats throughout their lifecycle. The Act mandates up-to-date patch management and the absence of known vulnerabilities for IoT technologies.
Cyber Resilience Act
Introduced by the European Commission in September 2022, the Cyber Resilience Act is a regulatory proposal aimed at enhancing the cybersecurity standards for IoT devices and related services within the European market. The Act sets forth ambitious objectives to establish a uniform European cybersecurity governance framework, enhance manufacturer responsibility in device security from design through lifecycle, improve transparency regarding cybersecurity practices, and ensure that both consumers and businesses have access to secure products.
For IoT devices, the Cyber Resilience Act mandates rigorous compliance measures for manufacturers, starting with the requirement that all devices with digital elements must bear an EU mark of conformity. This mark signifies that the products meet the new stringent cybersecurity standards set out by the Act.
Under the Cyber Resilience Act, manufacturers must ensure continuous compliance even as products undergo substantial updates or modifications. This includes evaluations to ascertain if changes like software updates or hardware repairs affect the device's adherence to established cybersecurity standards. Additionally, the Act covers importers and distributors, who are responsible for ensuring that only compliant products enter the European market.
Asia
Cybersecurity Law of China
The Cybersecurity Law of the People's Republic of China includes provisions to safeguard critical information infrastructure. This law enforces stringent measures to monitor and handle cybersecurity risks, advocating for a secure, structured, and resilient digital space. It emphasizes the importance of integrity in online conduct.
Regarding the Internet of Things (IoT), the Cybersecurity Law imposes rigorous obligations on network operators and manufacturers to ensure the security and stability of their services and devices throughout their lifecycle. This includes mandating adherence to national standards, implementing robust data protection measures, and facilitating a rapid response to cybersecurity incidents. IoT device manufacturers and service providers must also comply with regulations that include regular security assessments and obtain mandatory certifications before market entry.
Japan's IoT Security Safety Framework
In November 2020, Japan's Ministry of Economy, Trade and Industry (METI) introduced the Internet of Things (IoT) Security and Safety Framework. The framework is designed to enhance security measures for both devices and the broader systems that integrate IoT technologies.
The IoT Security Safety Framework introduced by METI establishes a multi-layered approach to IoT security, focusing on understanding and mitigating risks associated with the integration of IoT devices into larger networks. One significant aspect of the framework is its emphasis on typological security and safety measures, which are tailored to specific types of risks that emerge at the intersection of cyberspace and physical spaces.
This methodological approach ensures that both new and existing IoT systems are equipped with appropriate security safeguards, promoting a safer deployment of IoT technologies across various sectors in Japan. The framework serves as a guideline for developers and manufacturers to align their products and services with Japanese national security standards.
Certification of IoT Security (CIC)
On December 14th, 2023, the Ministry of Science and ICT (MSIT) of South Korea, together with the Korea Internet & Security Agency (KISA), signed a Memorandum of Understanding (MoU) with the Singaporean Cyber Security Agency (CSA) regarding the mutual recognition of IoT security certification systems. Under this agreement, IoT devices in key sectors such as home appliances, transportation, finance, smart cities, medicine, manufacturing, and communication will require certification that meets the agreed standards.
The MSIT outlines certification standards for IoT technology across these fields, ensuring that devices are secure from design to deployment. In South Korea, KISA is designated as the testing agency responsible for issuing the IoT security certification, whereas in Singapore, the CSA oversees the Cybersecurity Labeling Scheme (CLS), which serves a similar purpose. Both certification systems aim to ensure that IoT products are equipped to handle security challenges effectively, safeguarding consumer data and enhancing device integrity against potential cyber threats.
Australia's Code of Practice for IoT
Australia's Code of Practice: Securing the Internet of Things for consumers, developed by the Department of Home Affairs, is a proactive measure to enhance IoT security across the nation. Introduced as a voluntary set of measures, the Code of Practice aims to establish a baseline of security norms for IoT devices to protect Australian consumers. Recognizing that security features in IoT devices are often overlooked or underdeveloped, the Code addresses the need for robust cybersecurity defenses against potential threats.
The Code of Practice is designed for industry stakeholders and comprises thirteen principles, with a strong recommendation to prioritize the top three for immediate benefits. These principles include: the elimination of default or weak passwords, vulnerability disclosure policies for IoT device manufacturers and service providers, and ensuring that IoT software remains securely updatable.
In Part 2 of this series, the challenge of securing IoT will be examined with these regulations in mind.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire.
