More and more devices are connected to the Internet, not only in the private sector, but also in industry. This makes production more efficient and increasingly automated, which saves costs and labor. The Internet of Things (IoT - Internet of Things) is therefore spreading rapidly and the number of connected devices is increasing significantly.
But with the growing reliance on IoT devices, the need for strong cyber security measures has become even more urgent. The legislators have recognized this. To protect the important data stored on these devices, governments around the world have introduced regulations to improve the standard security of IoT devices. What do you have to pay attention to? A look at the regulations helps.
IoT regulations in the EU and US
In the United States, the IoT Cybersecurity Improvement Act was passed in 2020 and the National Institute of Standards and Technology (NIST) was tasked with creating a standard for IoT devices. In May 2021, the Biden administration passed an executive order to improve national IT security. Then, in October 2022, the White House released a pamphlet introducing a label for IoT devices, starting with routers and home cameras, to indicate their security level and make it visible at a glance.
In the European Union, the European Parliament introduced the Cybersecurity Act and the Cyber Resilience Act, which impose several requirements on manufacturers before a product can be CE marked and placed on the European market. This includes stages of assessment and reporting, as well as dealing with cyber attacks or vulnerabilities throughout the product lifecycle. The General Data Protection Regulation (GDPR) also applies to companies operating in the EU and obliges them to implement appropriate technical and organizational measures to protect personal data.
Schlüsselelemente
In order to comply with the regulations, manufacturers must implement the following key elements:
- Software Updates: Manufacturers must offer the possibility of firmware updates and guarantee the validity and integrity of the updates, especially security patches.
- Protection of data: The regulations follow the concept of "data minimization", ie only the necessary data is collected with the consent of the user, but sensitive data is stored securely and encrypted.
- Risk assessment: Developers must conduct risk management during the design and development phase and throughout the product lifecycle, including analyzing CVEs (Common Vulnerabilities and Exposures) and releasing patches for new vulnerabilities.
- device configuration: Devices must be released with a default security configuration that removes dangerous components, closes interfaces when not in use, and minimizes the attack surface for processes through the “principle of least privilege”.
- Authentication and Authorization: Services and communications must require authentication and authorization, with protection against brute force login attacks and a password complexity policy.
- Secured communication: Communications between IoT assets must be authenticated, encrypted, and use secure protocols and ports.
However, compliance with these regulations can be challenging due to their complexity. To simplify the process, various certifications and standards such as UL MCV 1376, ETSI EN 303 645, ISO 27402 and NIST.IR 8259 have been introduced to break down the regulations into practical steps.
Companies that want to protect their IoT devices against imminent threats should therefore use solutions that secure their devices with minimal effort and include a risk assessment service that can be embedded in an IoT device. In this way, a device can be protected against IT threats over its entire lifetime. In the best case, the solution should require minimal resources and be able to be integrated into a product without having to change the code. In this way, IoT devices can operate safely and take full advantage of them.
More at Checkpoint.com
About check point Check Point Software Technologies GmbH (www.checkpoint.com/de) is a leading provider of cybersecurity solutions for public administrations and companies worldwide. The solutions protect customers from cyberattacks with an industry leading detection rate for malware, ransomware and other types of attacks. Check Point offers a multi-level security architecture that protects company information in cloud environments, networks and on mobile devices, as well as the most comprehensive and intuitive “one point of control” security management system. Check Point protects over 100.000 businesses of all sizes.