Stay Ahead of the Game: Preparing for the Upcoming IoT Cybersecurity Regulations

The Internet of Things (IoT) is rapidly expanding, and the number of connected devices is increasing at an unprecedented rate. Globally, the IoT market is expected to grow 18 percent in 2023, reaching more than 14.4 billion active connections. As per a report from Frost and Sullivan, the Indian IoT market is expected to reach US$9.28 billion by 2025 from US$4.98 billion in 2020.

With the growing reliance on IoT devices, the need for strong cybersecurity measures has become more pressing. To protect personal information stored on these devices, governments around the world have introduced regulations aimed at improving the standard security of IoT devices.

IoT Cybersecurity Regulations in the US, EU and India

In the United States, the IoT Cybersecurity Improvement Act was passed in 2020, and the National Institute of Standards and Technology (NIST) was tasked with creating a cybersecurity standard for IoT devices. In May 2021, the Biden administration released an Executive Order to improve national cybersecurity, and in October 2022, the White House released a Fact Sheet to implement a label for IoT devices, starting with routers and home cameras, to indicate their level of cybersecurity.

In the European Union, the European Parliament has introduced the Cybersecurity Act and the Cyber Resilience Act, which impose several requirements for manufacturers to meet before a product can receive the CE marking and be placed on the European market. This includes stages of assessment and reporting and managing cyber-attacks or vulnerabilities throughout the product lifecycle. The General Data Protection Regulation (GDPR) also applies to companies operating within the EU and requires them to implement appropriate technical and organizational measures to protect personal data.

In India, The Ministry of Electronics and Information Technology (MeitY) has released guidelines on cybersecurity for IoT devices, which outline the minimum requirements for IoT device manufacturers, such as mandatory device registration, data protection measures, and software updates .Additionally, the Indian Computer Emergency Response Team (CERT-In) has been established to provide proactive and reactive cybersecurity services and to support the Indian government in securing the country’s cyberspace. The CERT-In has also released guidelines on the security of IoT devices and has been actively monitoring and responding to IoT-related security incidents.

Key Elements of IoT Security Regulations

To comply with the regulations, manufacturers must implement the following key elements:

1. Software Updates: Manufacturers must provide the option for firmware updates and ensure the validity and integrity of updates, particularly for security patches.

2. Data Protection: Regulations follow the concept of “minimization of data”, collecting only necessary data with user consent and securely handling and storing sensitive data in an encrypted manner.

3. Risk Assessment: Developers must follow a risk management process during the design and development phase and throughout the product’s life cycle, including analyzing Common Vulnerabilities and Exposures (CVEs) and releasing patches for new vulnerabilities.

4. Device Configuration: Devices must be released with a security-by-default configuration and have dangerous components removed, interfaces closed when not in use, and a minimized attack surface through the “principle of least privilege” for processes.

5. Authentication and Authorization: Services and communication must require authentication and authorization, with protection against brute force login attacks and a password complexity policy.

6. Secured Communication: Communication between IoT assets must be authenticated and encrypted, using secured protocols and ports.

Navigating Regulations with Check Point Quantum IoT Protect

However, complying with these regulations can be a challenge due to their complexity. To make the process easier, various certifications and standards such as UL MCV 1376, ETSI EN 303 645, ISO 27402, and NIST.IR 8259 have been introduced to break down the regulations into practical steps.

Check Point has introduced Quantum IoT Embedded to help manufacturers secure their devices with minimal effort. The solution includes a risk assessment service and a Nano Agent® that can be embedded into an IoT device to provide on-device runtime protection against cyberattacks. The Nano Agent® is a standalone solution that can be added to a product without intrusive code change and requires only minimal resources.