Blogs
29 April 2024
Reading Time: 4 mins
Blogs
29 April 2024
Reading Time: 4 mins
Eseye
IoT Hardware and Connectivity Specialists
LinkedInWhether intended for consumer or business use, IoT devices need to be mass produced, easy to set up, and able to work in a wide variety of environments and configurations. As a result, cybersecurity in IoT is often seen as a compromise in terms of cost, productivity, or convenience – a compromise not many manufacturers or enterprises are willing to take.
But while this has been the status quo for the early years of IoT adoption, regulators are catching on and new legislation coming into force in 2024 will force participants in the IoT ecosystem to take security seriously.
According to the IoT Security Foundation’s (IoTSF’s) “State of Vulnerability Disclosure Policy (VDP) Usage in Global Consumer IoT in 2023” report released in November 2023 and the sixth in a series, over 76% of device manufacturers do not have a vulnerability disclosure policy. In fact, of the 121 new device manufacturers added to the 2023 cohort, over 95% do not have such a policy.
Another recent survey, from Viakoo, found that 50% of companies have experienced an IoT cyber incident in the last 12 months, of which 44% were serious, and 22% threatened business operations.
The message coming through loud and clear is that not enough is being done by manufacturers or those companies deploying IoT projects with regards to security – an attitude the world’s regulators are no longer tolerating.
What is the Product Security and Telecommunications Infrastructure (PSTI) Act?
The Product Security and Telecommunications Infrastructure (PSTI) Act, introduced in 2022, is a pivotal legislative framework designed to address the evolving landscape of digital security in IoT ecosystems in the UK. It comes into power April 29, 2024 and covers two important parts of legislation:
Make no mistake, although there are references to ‘consumer IoT products’, all businesses in the IoT supply chain must ensure they are equipped to tackle potential security vulnerabilities and threats, and make certain their products meet the PSTI requirements.
What are the three requirements that make an IoT product compliant?
Connected devices and IoT products must adhere to three security requirements:
More information about each of these can be found on the Gov.UK website.
Together the PSTI Act and PSTI Regulations work together to ensure that consumer-connectable products are more secure against cyber-attacks, protecting privacy and security.
What actions can be taken against companies failing to comply?
The Government’s Office for Product Safety and Standards (OPSS) enforces the UK’s product safety regulations and aims to protect consumers and businesses alike from product-related harm. OPSS is authorized to take “appropriate and proportionate measures” against those that fail to comply with the PSTI Act 2022 and PSTI Regulations 2023.
Why is it important to embed security requirements into consumer IoT products?
Embedding security requirements into consumer IoT products is essential for protecting user privacy, ensuring data integrity, preventing unauthorized access, and maintaining consumer trust in an increasingly interconnected and vulnerable digital landscape.
In both consumer and business environments, this vast web of unsecured cloud-connected IoT and M2M devices significantly increases the risk surface of any organization, because unsecured devices all serve as jumping-off points for hackers, state-sponsored terrorists, and other threat actors to get access to much more sensitive parts of your infrastructure.
The security of IoT products is crucial for ten reasons:
1. Privacy protection
Consumer IoT devices often collect and transmit sensitive personal information. Embedding security measures helps safeguard this data from unauthorized access, protecting user privacy.
2. Data integrity
Security requirements ensure the integrity of the data generated and transmitted by IoT devices. Tampering or unauthorized modifications can be prevented, maintaining the reliability of the information collected.
3. Prevention of unauthorized access
Many IoT devices, such as smart home devices or wearables, are interconnected, creating a potential attack path. Security measures prevent unauthorized access, reducing the risk of unauthorized control or manipulation of devices.
4. Protection against cyberattacks
IoT devices are attractive targets for cybercriminals. Embedding security features helps protect against various cyber threats, including malware, ransomware, and distributed denial-of-service (DDoS) attacks, which could disrupt device functionality or compromise user data.
5. Safety concerns
Some IoT devices, such as those used in healthcare or smart home security systems, may have direct implications for user safety. Ensuring the security of these devices is essential to prevent potential physical harm or unauthorized control. A compromised connected light bulb is a very different threat to an IoT-enabled insulin pump.
6. Consumer trust and confidence
Security breaches can lead to a loss of consumer trust. By embedding robust security measures, manufacturers demonstrate a commitment to protecting their customers, which enhances brand reputation and consumer confidence.
7. Legal and regulatory compliance
Many regions have introduced regulations and standards related to IoT security. Complying with these requirements not only helps avoid legal consequences but also ensures that products meet industry standards for security. In the EU, the Cyber Resilience Act (CRA) is progressing into its final stages, and various cyber security frameworks in the US, such as National Institute of Standards and Technology (NIST), already recommend or mandate various security policies.
8. Long-term viability
As IoT devices become more integrated into daily life, the longevity and success of these products depend on their ability to withstand evolving cybersecurity threats. Embedding security requirements helps future-proof products and ensures ongoing protection.
9. Network security
IoT devices are often connected to networks, and vulnerabilities in one device can potentially compromise the entire network. Implementing security measures in IoT products contributes to overall network security and prevents the spread of threats.
10. Reducing the attack surface
By integrating security features from the design stage, manufacturers can minimize the potential attack surface of the IoT devices. This involves reducing vulnerabilities and making it more challenging for malicious actors to exploit weaknesses.
Find out how to build cyber security resilience into your IoT products and comply with the PSTI Act and Regulations.
Download whitepaperEseye
IoT Hardware and Connectivity Specialists
LinkedInEseye brings decades of end-to-end expertise to integrate and optimise IoT connectivity delivering near 100% uptime. From idea to implementation and beyond, we deliver lasting value from IoT. Nobody does IoT better.
Let our experts test your device for free. Receive a free SIM kit and speed up your IoT deployment with expert insights and seamless connectivity.