IoT Legislation: Is this hinting IoT prediction heady again?
While IoT devices and technology were all you heard about for a while, the buzz has dimmed. According to Google Trends, interest in IoT peaked toward the end of 2016. Interest has ebbed and flowed since then, while slowly regressing toward pre-2016 levels. Also, in 2017 analysts were predicting that the IoT market would be worth $457 billion by 2020, sources from 2018 forecast the market reaching only $318 billion by 2023. One of the reasons for this slowdown is IoT security which remains a persistent challenge for IoT devices and technology.
It’s relatively easy to deploy an IoT device; it is much harder to secure it and the data it sends and receives. Indeed, examples of poorly secured IoT devices proliferate. Compared with PCs and smartphones, IoT devices and software have a long way to go to reach a reliable level of security.
Fortunately, Legislation on IoT is finally coming and we may see IoT becoming more trustworthy. Over the years, several bills have been proposed, but significant legislation aimed at IoT has failed to pass. However, with the recent success of security in industry information technology (IT) networks for DoD contractors, there is a template for legislators to follow.
The bill would accomplish four things. First, it clarifies the role of NIST as the lead organization to set IoT standards, rather than leaving each respective agency to set its own. Second, it requires vendors selling IoT devices to the federal government to self-report cybersecurity issues. Third, it requires federal agencies to procure IoT devices using NIST standards. Finally, it requires NIST to report and update IoT standards.
NIST also released draft security feature recommendations for IoT devices. The Core Baseline provides a list of six recommended security features that manufacturers can build into IoT devices, and that consumers can look for on a device’s box or online description while shopping.
Some of the recently announced and existing IoT security standards/guidelines –
Security Evaluation Standard for IoT Platforms (SESIP): The SESIP defines a standard for trustworthy assessment of the security of the IoT platforms, such that this can be re-used in fulfilling the requirements of various commercial product domains.
Global Cyber Alliance (GCA): The Global Cyber Alliance (GCA) recently launched a cybersecurity development platform for IoT products, called the Automated IoT Defence Ecosystem (AIDE), which allows small businesses, manufacturers, service providers and individuals to detect vulnerabilities, reduces risks and secure IoT devices.
FIDO Alliance: The group sets security standards for online authentication, and recently, announced that it’s expanding to develop security standards for IoT devices. The FIDO Alliance aims to provide a comprehensive authentication framework for IoT devices and has formed the IoT Technical Working Group (IoT TWG).
Open Connectivity Foundation (OCF): The OCF Security Framework provides various strength levels of device-to-device authentication methods to ensure that IoT nodes only communicate with authorized entities.
Cloud Security Alliance (CSA): The Guide to the IoT Security Controls Framework provides instructions for using the companion CSA IoT Security Controls Framework spreadsheet.
IETF – RFC 8576: RFC 8576 provides a detailed summary of all the IETF efforts towards making the Internet of Things more secure.
ETSI TS 103 645: A standard for cybersecurity in the Internet of Things, to establish a security baseline for internet-connected consumer products and provide a basis for future IoT certification schemes.
GSMA IoT Security Guidelines: The GSMA IoT Security Guidelines provide best practice for the secure design, addressing typical cybersecurity and data privacy issues associated with IoT services, a step-by-step process to securely launch IoT solutions to market and keep them secure throughout their lifecycles.