Although regulators seem to think all too often that cybersecurity is an after-thought for internet-connected device manufacturers, the National Institute of Standards and Technology (NIST) recognizes that as the Internet of Things (IoT) grows, so do cybersecurity risks. In March 2021, NIST published several key takeaways from a recent workshop that provide helpful guidance for IoT manufacturers so that they can be more pro-active in securing IoT devices.
Continue Reading Recent report signals NIST may publish IoT cybersecurity standards
IOT
EU Blockchain Observatory and Forum explores the convergence of blockchain, AI, and the IoT
The European Union Blockchain Observatory and Forum, on 21 April, published a report examining how blockchain can be combined with two other important emerging technologies – the Internet of Things (IoT) and artificial intelligence (AI) – to complement each other and build new kinds of platforms, products, and services.
The report first looks at the interplay of blockchain with the IoT, addressing how blockchain can aid its functioning by providing a decentralised platform to the otherwise centralised approach of the IoT. This centralisation poses a number of challenges while monitoring, controlling, and facilitating communication between the millions of heterogeneous devices. The report highlights how blockchain can provide a more robust, more scalable, and more direct platform to overcome these challenges.
The report similarly delves into the potential relationship between blockchain and AI. It explains some concerns surrounding AI, like how it is currently concentrated in the hands of a few large companies due to the high cost of gathering, storing, and processing the large amounts of data, as well as engaging AI experts. It then illustrates how blockchain can mitigate such concerns so that access to AI models is more readily available to individuals and small companies.Continue Reading EU Blockchain Observatory and Forum explores the convergence of blockchain, AI, and the IoT
UK government consultation on the Internet of Things
The UK government has recently published an invitation to take part in its consultation on proposals for the regulation of the Internet of Things (IoT).
The consultation, to be run by the Department for Digital, Culture, Media and Sport, seeks input into future regulation aimed at improving IoT security. This invitation follows the recent publication …
UK government releases IoT security code of practice
The UK government has launched a Code of Practice (CoP) for the Internet of Things (IoT) security. This is aimed at improving baseline security and ensuring that devices that process personal data are General Data Protection Regulation (GDPR) compliant, as well as advancing an industry-wide ‘security by design’ approach.
The CoP provides outcome-focused practical steps for IoT manufacturers and industry stakeholders to improve the security of their products. To achieve this, it has specifically identified thirteen guidelines that it considers essential to the safeguarding of IoT devices:
- No default passwords – all IoT device passwords should be unique and not resettable to a universal factory default value.
- Implement a vulnerability disclosure policy – companies that provide IoT devices and services are to provide a public point of contact as part of a vulnerability disclosure policy, to enable issues to be reported. A disclosed vulnerability should be acted on in a “timely manner”.
- Keep software updated – updates should be timely and should not impact on the functioning of the device, and the need for which should be made clear to consumers.
- Securely store credentials and security-sensitive data – credentials must be stored securely within services and on devices. Hard-coded credentials in device software are not acceptable.
- Communicate securely – security-sensitive data should be encrypted and all keys managed securely.
- Minimise exposed attack surfaces – devices and services should operate on the principle of “of least privilege”.
- Ensure software integrity – software should be verified using secure boot mechanisms.
- Ensure that personal data is protected – personal data should be protected in accordance with the GDPR and Data Protection Act 2018.
- Make systems resilient to outages – resilience should be built into IoT devices.
- Monitor system telemetry data – telemetry data should be monitored for security anomalies.
- Make devices easy for consumers to delete personal data – devices should be configured so that an individual can easily delete their personal data from it.
- Make installation and maintenance for devices easy – this should employ minimal steps and should follow security best practice. Consumers should be given guidance on how to set up their device securely.
- Validate input data – data input via user interfaces and transferred via application programming interfaces (APIs) or between networks in services and devices must be validated.
Continue Reading UK government releases IoT security code of practice
California pursues IoT data security regulations with new legislation
California enacted Internet of Things (IoT) legislation intended to help protect consumer privacy and safety from potential hacking of connected devices. Under the state legislation that may apply to any connected devices sold in California, manufacturers of connected devices are required to equip the devices with security options suitable to the nature of the device…
DHS and DOC Report on Botnets and IoT Security Recommends Increased Collaboration between Stakeholders in Private Industry and Government
On Jan. 5, 2018, the Department of Homeland Security (DHS) and the Department of Commerce (DOC) released their joint draft report on “Enhancing the Resilience of the Internet and Communications Ecosystem against Botnets and Other Automated, Distributed Threats” for public comment. The report provides a series of recommendations for addressing the threats presented by botnets as well as improving security for Internet-connected devices or the Internet of Things (IoT).
Chief among these was a call to “build coalitions between the security, infrastructure, and operational technology communities domestically and around the world.” The report called upon a wide array of stakeholders spanning different industries and both the public and private sectors. Key stakeholders mentioned in the report, along with corresponding recommendations, encompassed the following:
- IoT Product Industry. The report calls for private sector organizations, such as IoT product developers, to take significant steps towards improving security. These include establishing standards for assessing and labeling IoT device security, which would allow consumers to make informed choices and would offer assurance for the use of IoT products in critical infrastructure. The report also recommends providing better interfaces in IoT products for user administration.
“Sharing Economy” Report Issued by FTC for Internet-Based Services
The FTC released a 100-page staff report this past November that assesses evolving business models relying on internet and app-based “sharing economy” platforms, such as those providing peer-to-peer services, and their effects on more traditional industries. To read more, click here.
Ofcom Releases Statement on Spectrum for the ‘Internet of Things’
Last year, we reported on Ofcom’s Statement on ‘Promoting investment and innovation in the Internet of Things (IoT)’ (Statement). IoT refers to the exponentially growing network of products that are capable of communicating with each other, such as smart watches and smart thermostats. The Statement identified four priority areas to support the growth of IoT…
A Checklist for In-House Counsel: Cyber Security for Medical Devices
Medical device companies and manufactures of other connected devices need to be attentive to the ever-increasing risk of a cybersecurity breach affecting their own devices and the hospitals and other health care organizations where their devices are connected. Taking these challenges into consideration, the FDA has issued several guidance documents concerning cybersecurity for medical devices. …