The Regulatory Tsunami About to Engulf IoT

By Jimmy Jones, Telecoms cybersecurity expert and Head of Security, ZARIOT

The telecoms industry has always been highly regulated. However, the introduction of 5G ushering in with it the prospect of a world of ubiquitous connectivity delivered via an explosion of internet of things (IoT) devices is expanding the focus and burden of responsibility ever wider. Even still, security budgets do not always support the very necessary changes that will bring both compliance and real-world protection.

The telecom network operators have already felt the impact of additional scrutiny. Administrations across the globe recognize that as people and critical national infrastructure become more dependent on this next generation of network, it poses a substantial personal and national security threat. We have already seen governments move to eliminate what they see as untrusted vendors from the telecom infrastructure and legislation introducing huge fines across the globe – with the UK leading the way.

Yet the burden is not solely on the telecom operators.

IoT represents and ecosystem where the telecoms operators are essentially just the connectivity medium. You need a “device”(be that a car, a lightbulb, or an unimaginable number of other massively diverse options), and an “application” to gather and process the data collected. Administrations realize that the security of all these need to be addressed to fully mitigate the threat.

This means the enterprise sector, both the manufacturers and the owners of the solutions, will now have to adhere to IoT regulation too.

Several industries already have significant regulation in place. The automotive industry has seen the UN’s smart vehicle regulations adopted in Japan and Korea in January 2021 and will be enforced in the EU from July 2022. The medical industry will see an expansion of its threat borders, but certification is already strict.

It is the currently less-regulated industries that will feel the effect more. Of the several examples of legislation presently being passed, two in particular stand out:

In the US, Executive Order (EO) 14028, “Improving the Nation’s Cybersecurity,” has just closed its whitepaper “Baseline Security Criteria for Consumer IoT Devices” to comment. In this document, NIST outline details on additional IoT cybersecurity hardening that must be employed and testing that must be performed. Meanwhile, on the other side of the Atlantic, the EU initiative on “Internet-Connected Radio Equipment and Wearable Radio Equipment” which sets a baseline security criteria for IoT devices was adopted by the Commission on October 29, 2021.

Both will need to be considered when designing and implementing almost any consumer IoT solution for use in these regional markets moving forward and will inevitably be a precursor to other regions following suit.

What we have seen so far is just the very tip of the regulatory iceberg. Conditions globally dictate that irrefutably.

We all think we are well aware of the explosion in the volume of general cyberattacks, but how many of us realize that the financial damages it is predicted to cause this year would make it the world’s third-largest economy, only beaten by the U.S. and China?

For IoT, the story is probably even worse; it is widely accepted in the cybersecurity community as the most vulnerable element of the network, and it is already under attack at levels that are almost incomprehensible. In September 2021, Kaspersky released figures that IoT attacks had doubled, and they had seen 1.5 billion in the first six months of this year. To put that into context, that’s approaching 350,000 attacks every hour of every day.

But there is more bad news:Another reason IoT is attractive to hackers is that because the impact of their actions potentially has physical implications, it is far more apparent. Many IT cyber breaches are never reported, but the public manifestation as a result of an IoT attack means is not an option. Consider the ransom attack on the Colonial Pipeline as an example. This additional impact magnifies the prospective rewards for a hacker, which increases the temptation, and the likelihood and perseverance of any attack.

Gartner predicts that attacks on operational technologies (connected devices that monitor and control the performance of physical actions), causing injury and possibly death will be weaponized by 2025. These types of devices are not normally deployed in the home, but they are in our workplaces and other areas of our environment, such as civil infrastructure.

The implications here are enormous, not only in the anguish and needless suffering it would cause, but also financially. The same research anticipates the financial impact of fatalities due to attacks on operational devices, will be over $50 billion.

IoT is extremely diverse by nature and comprises of many areas of expertise working together to achieve success. The only option for end-to-end security is close collaboration and cooperation between expert suppliers. Even then, coordinating the effort to both deliver and secure the overall solution will be difficult.

Securing the device itself as well as the end-to-end communication to the IoT application core, while also guaranteeing network access, availability, and integrity must be the core principles to any secure-by-design IoT strategy. With that in mind, the extra regulatory burden described above would seem to be appropriate.

Budget for security can be hard to obtain, but we must properly secure IoT as its vulnerabilities will be directly reflected, in the world we live in. In an ideal world, regulation should not be necessary, however if it mobilizes the various contributors and supply chains, it has to be a positive.

Finally, if all this evidence is not enough to loosen the security purse strings of your troublesome CEO, gently point out Gartner believes¾ of CEOs will be personally liable should anything go awry.

Looming regulations will force accountability to the actual decision-makers and spare no prisoners.


Hot Topics

Related Articles