How to Regulate Cybersecurity of the Internet of Things
I had the honor of speaking on IoT security policy at the annual CyberNextDC conference organized by the Cybersecurity Coalition. As the number of connected devices grows and these devices are increasingly used to perpetrate “botnets”, global policymakers are under pressure to regulate the cybersecurity of the Internet of Things (IoT). Below are just a few examples of governments that are contemplating regulatory activity in this space:
- European Union: The EU Cybersecurity Act will, among other things, allow the EU Agency for Cybersecurity (ENISA) to set certification schemes for information and communications technology (ICT) products, services, and processes, to include the IoT.[i]
- Japan: The Ministry of Economy, Trade and Industry (METI) has published a Cyber/Physical Security Framework pertaining to the security of IoT and other connected systems.[ii]
- Singapore: The Infocomm Media Development Authority is developing an IoT Cyber Security Guide.[iii]
- United Kingdom: The Department for Digital, Culture, Media and Sport has issued a Code of Practice for Consumer IoT Security and recommended regulations to require that consumer IoT devices incorporate at least minimum security controls.[iv]
At Schneider, we’re used to operating with this type of security complexity. For over 100 years, we have executed a multi-local strategy; manufacturing locally, servicing locally, and patenting locally. That said, such country-specific requirements for IoT device manufacturers present several limitations. Instead of promoting widespread, open innovation; economic prosperity for the global digital economy; or consistent security protocols, disparate requirements will likely lead to regulatory fragmentation. As a result, only large players will be able to meet this myriad of requirements and consumers will be left to determine how secure a IoT device is based upon where it is manufactured.
Raising the bar on cybersecurity
At Schneider Electric, we see an alternative path — one that fosters both innovation and security for industry players, governments, and global citizens. It is a path where governments work collaboratively, through open dialogue, to find common regulatory ground. Ideally, this path would lead to harmonization and interoperability between IoT security requirements and corresponding certification schemes. And there is room for optimism.
We can look to the U.S. National Institute of Standards and Technology (NIST) for an example. This organization has a long history of facilitating industry-driven, consensus-based initiatives to promote stronger cybersecurity practices. In cybersecurity, NIST is best known for the development of the NIST Cybersecurity Framework for Critical Infrastructure Protection, but NIST is now working on a new effort that could be just as impactful. This effort, which is still in draft, is known as NISTIR 8259: Core Cybersecurity Feature Baseline for Securable IoT Devices. It is an attempt to bridge the gap between a dozen or more IoT security guidelines, including the IEC 62443 suite of standards for industrial automation cybersecurity, issued by governments, standards development organizations, and civil society groups globally.[v] What the authors have found in the wide range of international approaches is commonality in security features that could serve as a meaningful regulatory baseline for all geographies. These features include:
- Device Identification: The IoT device can be uniquely identified logically and physically.
- Device Configuration: The IoT device’s software and firmware configuration can be changed, and such changes can be performed by authorized entities only.
- Data Protection: The IoT device can protect the data it stores and transmits from unauthorized access and modification.
- Logical Access to Interfaces: The IoT device can limit logical access to its local and network interfaces to authorized entities only.
- Software and Firmware Updates: The IoT device’s software and firmware can be updated by authorized entities only using a secure and configurable mechanism.
- Cybersecurity Event Logging: The IoT device can log cybersecurity events and make the logs accessible to authorized entities only.
Securing the digital economy
Harmonizing regulatory approaches with this common baseline would allow global industry to build IoT devices to a shared set of core requirements, thus improving both economic opportunity and consistent security. Furthering this optimism is news that the US and EU have renewed their efforts to coordinate on cybersecurity regulatory approaches. This cooperation could bear fruit as part of the EU’s Cybersecurity Act and the pending cybersecurity certification schemes for IoT. Establishing harmonized requirements for IoT security could help both regions realize economic and security objectives.
Following this path of collaboration, governments would still be able to establish their own unique requirements for specific industries or use cases, but these additional specifications would be built on top of this common, coordinated baseline. When needing to ensure conformance to this baseline, governments could establish voluntary certification schemes while leveraging existing global certification bodies. Establishing such voluntary schemes would allow only the most competitive and secure vendors to rise to the top, thereby helping to raise the security bar throughout global industry. Using existing certification bodies, like ISASecure, would leverage ready resources that have the technical competence to assess conformity to this shared baseline.
Strengthening digital trust
While we hear of challenges on this topic daily, we see cause for optimism during October’s Cybersecurity Month. Governments and industry have an opportunity to come together and work collaboratively on common solutions that will benefit all citizens. At Schneider, we will do our part. As members of both the Cybersecurity Coalition and the Global Cybersecurity Alliance, we will work across industry, governments, and our customers to secure our digital economy.
For those interested in reading more on cybersecurity and building a holistic cybersecurity strategy, see Schneider Electric’s “Building a Cybersecurity Strategy for the Digital Economy” e-guide.
[i] European Commission, EU negotiators agree on strengthening Europe’s cybersecurity, Dec. 2018, http://europa.eu/rapid/press-release_IP-18-6759_en.htm
[ii] Japan Ministry of Economy, Trade and Industry, METI Compiles Results of the Call for Public Comments on the Draft Cyber/Physical Security Framework, https://www.meti.go.jp/english/press/2018/1001_002.html
[iii] Singapore Infocomm Media Development Authority, October 15, 2019, https://www2.imda.gov.sg/regulations-and-licensing/Regulations/consultations/Consultation-Papers/2019/consultation-for-iot-cyber-security-guide
[iv] UK Department of Digital, Culture, Media & Sport, Code of Practice for Consumer IoT Security, Oct. 2018, https://assets.publishing.service.gov. uk/government/uploads/system/uploads/attachment_data/file/773867/
[v] The C2 Consensus on IoT Device Security Baseline Capabilities, https://securingdigitaleconomy.org/wp-content/uploads/2019/09/CSDE_IoT-C2-Consensus-Report_FINAL.pdf, Annex D: Informative References, page 30, accessed October 15, 2019
This article was written by Trevor Rudolph. He is Vice President for Global Digital Public Policy at Schneider Electric where he directs Schneider’s technology policy and regulatory affairs strategy in North America, Europe, and Asia. Prior to joining Schneider, Rudolph served for five years as the first appointed Chief of the Cyber and National Security Division at the White House Office of Management and Budget. Rudolph is a two-time winner of the Federal 100 Award and serves as the International Co-Chair of the Information Technology Industry Council (ITI) Cybersecurity Committee.