The Internet of Things (IoT) is expanding rapidly, and the number of connected devices is increasing at an unprecedented rate. A fact that, together with the growing dependence on these devices, emphasizes the urgent need to make changes in the field of cybersecurity.
As the Check Point® Software Technologies Ltd. (NASDAQ: CHKP) reports show, only 11% of Spanish SMEs currently have a complete IoT security solution, leaving 52% completely unprotected with no solution deployed. Data that is directly reflected in the increase in attacks received during 2002, with 67% of these companies experiencing incidents related to cybersecurity.
In order to protect the personal information stored on these connected devices, governments around the world have begun to introduce regulations aimed at improving their security standards.
In the United States, the IoT Cybersecurity Improvement Act was passed in 2020, and the National Institute of Standards and Technology (NIST) was tasked with creating a cybersecurity standard for this area. In May 2021, the Biden administration released an Executive Order to improve national cybersecurity, and in October 2022, the White House released a fact sheet to implement a label for IoT devices, beginning with routers and home cameras, to indicate their cybersecurity level.
For its part in the European Union, the European Parliament has introduced the Cybersecurity Law and the Cyber Resilience Law, which impose various requirements that manufacturers must meet before a product can receive the CE marking and be placed on the European market. . This includes stages of assessment and reporting and management of cyberattacks or vulnerabilities throughout the product lifecycle. In addition, the General Data Protection Regulation (GDPR) also applies to companies operating within the EU, requiring the implementation of appropriate technical and organizational measures for the protection of personal data.
However, in order to comply with these new regulations and security standards, Check Point Software outlines six key elements that IoT device manufacturers will need to start implementing:
- Software updates: manufacturers must provide the option of firmware updates and ensure their validity and integrity, especially for security patches.
- Data Protection: the regulations follow the concept of “data minimization”, collecting only what is necessary with the consent of the user and safely handling and storing sensitive data in an encrypted manner.
- Risk assessment: Developers must follow a risk management process during the design and development phase and throughout the product lifecycle, including scanning for Common Vulnerabilities and Exposures (CVEs) and issuing patches for new vulnerabilities.
- Device Configuration: Devices should be jailbroken with default security settings and have dangerous components removed, interfaces closed when not in use, and a minimized attack surface through the “principle of least privilege” for processes.
- Authentication and authorization: services and communication must require authentication and authorization, with protection against brute force login attacks and a password complexity policy.
- secure communication: Communication between IoT assets must be authenticated and encrypted, using secure protocols and ports.
However, complying with these regulations can be challenging due to their complexity. To facilitate the process, several certifications and standards such as UL MCV 1376, ETSI EN 303 645, ISO 27402 and NIST. IR 8259 have been introduced to break the regulations into practical steps.