Regulation of the Internet of Things (IoT) has always been a contentious subject. Those against claim it stymies growth of a nascent industry, while those advocating for it argue it sees the adoption of industry best practices and helps establish standards.
In an effort to straddle the divide, the Department for Digital, Culture, Media and Sport (DCMS) launched its Code of Practice back in 2018. Enshrined in this were 13 “Secure by Design” principles aimed at helping manufacturers put in place security controls and offer a base level of customer care. The Code of Practice was voluntary and without any repercussions, so therefore toothless, which is why many believe its adoption was lackluster.
Yet a lot has happened since 2018. The EU, via ETSI, introduced EN303 645, the first globally-applicable industry standard on internet-connected consumer devices in 2020 based on the Code of Practice. This sees manufacturers or an appointed third party provide documentation on the device under test (DUT), an Implementation Conformance Statement (ICS) and Implementation Extra Information for Testing (IXIT).
The DUT is then assessed under ETSI TS 103 701 guidelines which detail the tests and methodology to be used for assessing devices against EN303 645. This took us that much closer to a real de facto standard for the IoT.
A line in the sand
Later the same year, the UK government admitted that “too many insecure consumer connected products remain on the market and we need to take steps”. A consultation followed, leading to the draft of the Product Security and Telecommunications Infrastructure (PSTI) Bill, which focuses on IoT security, 5G and broadband.
The PSTI takes only the top three guidelines from the Code of Practice which are also in EN303 645: a ban on universal default passwords, the means to manage vulnerability reporting and a minimum duration for security updates. These are the practices which are regarded as presenting the biggest risks to IoT security, but this narrow focus has also seen a barrage of criticism levied at the legislation. Yet, realistically, these requirements were only ever meant to draw a line in the sand. The idea is to start with these controls before introducing other requirements further down the line, such as data protection, securely designed software/hardware, privacy, resilience, and user support.
Formerly announced in the Queen’s Speech in May, the PSTI is expected to be passed in to law in 2023 when it will come into force across the whole of the UK. However, many of those who took part in the consultation think it will take them up to two years to become fully compliant. That view was echoed in a report by the Internet of Things Security Foundation, which found 79 percent of firms are expected to fail anticipated regulations.
Assurance as a trailblazer
While the government was happy to put its weight behind the PSTI, it stopped short of mandating product assurance. For now, it will remain voluntary, although the law does include provision to mandate at a later stage. But it’s this assurance that is now leading the way. The DCMS helped fund the roll out of assurance schemes leading to IASME launching its IoT Security Assured Scheme in 2021. It enables manufacturers to kitemark their products to demonstrate they’ve achieved a certain level of security.
The IASME scheme aligns with ETSI’s EN 303 645, the PSTI, and is also mapped to the IoTSF Security Compliance Framework. It features three levels of security: the Basic level essentially requires compliance with the PSTI/top three requirements of the ETSI standard, the Silver level compliance with ETSI mandatory requirements and data protection provisions, and the Gold level the ETSI mandatory requirements as well as all additional ETSI recommended requirements and data protection provisions. Those manufacturers meeting the criteria will be able to display the relevant badge on their IoT device.
Given the poor adoption of the Code of Practice, IASME wanted to ensure the barriers to entry were minimal, so the scheme aims to be affordable, desirable and achievable. It requires the applicant to work through eight categories of questions about the security controls in place on the connected device and any associated services. These cover issues including passwords and credentials, vulnerabilities and anomalies, software, secure configuration, communications, and usage of data.
A board member from the applying organization must then declare the claims are true before submitting the application via a portal for review by an approved assessor. This must all be done within six months. As the process is self-led up until this point, the assessor plays a crucial role in providing feedback from the user perspective and in helping the manufacturer to meet the necessary criteria to reach the desired level of certification. If all criteria are met and the assessor approves the application, accreditation can be awarded in as little as 24 hours.
The market’s response
Interestingly, all those we have seen apply for the scheme have chosen to go for Gold because they want to be seen to be adhering to the highest levels and it’s been attracting some big international consumer brands. The smaller players that previously had difficulty understanding and navigating the red tape involved in the Code of Practice/ETSI have also valued the guidance and human touch of an assessor.
The theory is that the product assurance scheme will spur compliance ahead of the PSTI, making the transition that much easier for the IoT industry, and the fact that many have aimed high suggests the approach is working. Manufacturers like the visibility conferred by the badge, which then becomes a differentiator in the marketplace, as well as ensuring future compliance. It’s for these reasons that many watching the assurance rollout with interest.
IoT kitemark schemes vary internationally, from labels that denote compliance with a set of cybersecurity criteria, to a single label that attests basic security features are provided, to several tiers or even a label that lists cybersecurity information about the IoT device (much like the ingredients list you see on food items).
Assurance in the US
In the US, NIST was tasked with identifying and recommending key elements that should be adopted in a similar assurance program by President Biden’s Executive Order for “Improving the Nation’s Cybersecurity” in 2021. After reviewing IoT kitemark schemes, it published its Criteria for Cybersecurity Labeling for Consumer IoT in February of this year based upon NISTIR 8259, a set of documents that baseline cybersecurity capabilities for IoT devices from an analysis of international standards and guidance.
Like the DCMS, NIST has advocated a declaration of conformity, third-party testing/inspection and third-party certification. It differs, however, in that its recommendations are “outcome based”, no single conformity assessment will be adopted, and a single binary label has been suggested to act as a “seal of approval”. This will show a baseline standard has been reached, with additional information then possibly made available online via a scannable or accessible link or QR code (for instance). Baseline criteria will focus on asset identification, product configuration, data protection, interface access control, software updates, cybersecurity state awareness, documentation, information and query reception, information dissemination, and product education and awareness.
NIST will not oversee the program and a “scheme owner”, responsible for implementing and marketing the scheme, has yet to be appointed. This owner may well decide to tailor the outcomes and/or supporting evidence for different products or choose to introduce tiers. The suggestion is for these tiers to be risk-based so that devices that represent a higher risk either to the user or the environment within which they are deployed or which need to be assessed differently, would be required to meet a higher standard.
NIST also makes the point that as such a program will not be operating in isolation, the owner may well want to align the program with other international IoT standards and kitemark schemes. Such “harmonization” is desirable as it avoids the risk of fragmentation which could prove challenging for the industry. Harmonization is widely adopted among consumer standards such as CE and its post-Brexit equivalent, UKCA, and ensures a manufacturer only needs to meet the criteria and undergo conformity testing once rather than for every market.
It will be interesting to see how successful these kitemarks prove to be in encouraging the adoption of industry best practice. But judging by the response to the IASME scheme, uptake could well prove extremely positive. Both schemes have actively sought to make the certification process desirable and achievable, with NIST looking to foster innovation, avoid it being burdensome, and by making it usable and relevant to a diverse base of products and use cases. But its recommendations are wide ranging, and it stops short of devising an actual workable process. The scheme has yet to be rolled out and subjected to the rigors of the real world and, unlike the IASME scheme, it isn’t a precursor to formal regulation.
So, what will a more formalized, regulated future look like for the IoT? The industry has previously been compared to the Wild West in that there was a great deal of market freedom but also a degree of lawlessness and easily resolved vulnerabilities. The PSTI will effectively be the new sheriff in town, laying down the law, albeit across only three design principles.
It remains to be seen how these will be enforced, and by whom, but the fact that manufacturers will be compelled to comply could radically change the industry. Once a manufacturer has had to observe a set of principles in one market, and put the necessary controls in place, it makes sense use them in other markets. Which means these kitemark schemes and consumer purchase power really could be enough to kickstart more effective IoT security.