IOT security legislation is starting to snowball.
The Product Security and Telecommunications Infrastructure (PSTI) Act is now in force in the UK, the Cyber Resilience Act (CRA) is coming over the horizon in the EU, and a new wave of voluntary frameworks and legislation is happening globally.
It's about time. IoT devices are a well-known weak link.
Recent research from the Technical University of Denmark, under the theme “digital ghost ships,” found millions of vulnerable IoT devices based on protocols like MQTT, CoAP, XMPP, Modbus, OPC UA, RTPS, DNP3, and BAC still exposed on the open web. The researchers reckoned their findings were an extremely conservative picture.
Through some basic IPv4 and IPv6 scanning, researchers were able to find countless devices without security management, such as software updates, proper access control, or even encryption mechanisms. Scarily, many of these devices were found in the networks of critical industrial processes in factories, hospitals, and even airports. Our offensive security experience backs this up.
With IoT devices being essential for almost every modern industry, process, or electronic activity, they shouldn’t be insecure by default.
This blog post is that seeks to change this status.
Taking a Global Look at IoT Security Legislation
Many of the IoT legislation frameworks below are voluntary. However, some, like the PSTI and the upcoming CRA, are mandatory.
All seek to address the known weak points of IoT devices - namely, weak passwords and exploitable vulnerabilities.
Note: This is a list of IoT-specific legislation and frameworks only. There are many more international regulations, like the General Data Protection Regulation (GDPR) and national laws, such as the German IT Security Act 2.0, that touch on IoT security, which are not covered here.
European Union
The Cyber Resilience Act (CRA)
Year enacted/launched: Upcoming. Expected full enforcement by 2027 (some enforcement starting in 2026).
Mandatory: Yes.
Requirements: Security by design, vulnerability management, secure development practices, and user reporting mechanisms.
An upcoming piece of EU legislation aimed at IoT devices, the Cyber Resilience Act (CRA), is due to be fully enforced in 2027 (with some enforcement starting in 2026).
The CRA will mandate that manufacturers incorporate security features during the design and development phase of IoT devices, manage vulnerabilities, adhere to secure development practices, and give users a way to report security issues.
The CRA will apply to all new IoT devices to some degree, as well as older IoT devices that undergo significant changes.
United Kingdom
Product Security and Telecommunications Infrastructure (PSTI) Bill
Year enacted/launched: 2024.
Mandatory: Yes (for consumer-connectable products).
Requirements: Unique passwords, security issue reporting, and security update timelines.
Now being enforced, the Product Security and Telecommunications Infrastructure (PSTI) bill is probably the world’s most stringent legally mandated IoT regulatory framework.
The PSTI requires IoT products to have unique passwords, provide information on how to report security issues to the manufacturer and inform consumers about their minimum security update timelines.
Failing to comply with the PSTI can expose a manufacturer to hefty fines (£10 million or 4% of an offender's global revenue, whichever is higher).
United States
Cybersecurity Improvement Act of 2020
Year enacted/launched: 2020.
Mandatory: Yes, for federal procurement.
Requirements: IoT devices must meet NIST security standards (NIST SP 800-213).
The Cybersecurity Improvement Act of 2020 mandates that IoT devices sold to the federal government meet minimum security requirements as laid out by the National Institute of Standards and Technology (NIST).
In response to the act, NIST produced the NIST SP 800-213 guides, which set out a list of controls that an IoT device must have before a federal agency can procure it.
California IoT Security Law (SB-327)
Year enacted/launched: 2020.
Mandatory: Yes.
Requirements: Unique passwords and other reasonable security measures for all IoT devices sold in California.
The California IoT Security Law (SB-327) is a California-specific law that requires IoT device manufacturers that sell in California to use unique passwords and take other “reasonable security measures.”
The core focus of SB-327, which applies to all devices sold in California, is to enforce standards around device authentication, a common IoT weak point.
Oregon House Bill 2395
Year enacted/launched: 2020.
Mandatory: Yes (for consumer devices).
Requirements: Similar to California SB-327, with minor language differences.
Passed in 2020, Oregon’s IoT security law (Oregon House Bill 2395) is very similar to the California IoT security law, with some minor language changes around password requirements that make it less stringent. The law also only applies to consumer devices.
Consumer IoT product labelling programme
Year enacted/launched: Upcoming (due “late 2024”).
Mandatory: No.
Features: Federal compliance framework, "US cyber trust mark" for secure IoT products.
This will be a federal, voluntary compliance framework for all kinds of IoT devices.
Similar to the energy efficiency marks that producers put on electronic devices, this federal program will allow compliant manufacturers to label products with a new “US cyber trust mark” to show they are selling secure IoT products.
Initially, the mark will be only for consumer products, although it will likely become a feature of enterprise and government-oriented IoT solutions.
Asia-Pacific
China
Guide to the Construction of Basic Security Standard System for the Internet of Things
Year enacted/launched: To be fully established by 2025.
Mandatory: Yes (for all devices).
Requirements: Many. Over 30 industry standards for IoT devices.
This is a Chinese framework that will, by 2025, promote the formation of a relatively complete IoT basic security standards system with more than 30 industry standards for all IoT devices.
Japan
The IoT Product Security Conformity Assessment Scheme Policy
Year enacted/launched: Scheduled to be enacted by March 2025.
Mandatory: Yes (for government procurement).
Requirements: Security labels, vulnerability reporting and more.
The IoT Product Security Conformity Assessment Scheme Policy is a set of rules and policies around IoT device security controls and vulnerability reporting in Japan that is scheduled to come into force by March 2025.
The policy will establish a series of security labels for consumers, like the US Cyber Trust Mark, and will also become a requirement for Japanese government agencies to procure IoT devices. It will apply to all IoT devices.
Singapore
Internet of Things (IoT) Cyber Security Guide
Year enacted/launched: 2020.
Mandatory: No.
Features: Secure design, data protection, user education, network segmentation, access controls, penetration testing recommendations and more.
A voluntary framework by the Infocomm Media Development Authority with principles for secure IoT device design, data protection, and user education.
The framework makes solid security recommendations for how IoT devices should interact with networks, including enabling network segmentation and penetration testing.
Australia
Securing the Internet of Things for Consumers
Year enacted/launched: 2029.
Mandatory: No.
Features: 13 principles, including no duplicate/weak passwords and vulnerability disclosure requirements.
Securing the Internet of Things for Consumers is a voluntary code that provides guidelines for IoT manufacturers selling into the Australian market to improve the security of their devices.
The code works across 13 principles, including no duplicate or weak passwords and vulnerability disclosure requirements.
Global Initiatives
IoT Device Security Specification 1.0
Year enacted/launched: 2024.
Mandatory: No.
Features: Unique identity for each IoT device and no hardcoded default passwords.
IoT Device Security Specification 1.0, launched in 2024, is a new initiative from the global non-profit organisation The Connectivity Standards Alliance.
With collaborators from over 200 companies, including Amazon and Google, this voluntary framework creates a range of requirements, including a unique identity for each IoT device and no hardcoded default passwords.
IoT Legislation Like the PSTI Is Long Overdue
Do you remember when the “Internet of Things” sounded futuristic? Then you're old enough to have seen IoT devices go from exotic tech to commonplace. Estimates vary, but more than 14 billion IoT connections are likely in operation today. By 2035, that number could be almost three times that.
Security has not kept pace. In the past decade, we’ve seen incredible hacks involving fish tanks used to hack casinos, moving vehicles shut down mid-ride by white hat hackers, and even teddy bear data breaches.
These are the headlines, but thousands more industrial IoT/OT attacks that succeed each year do not make the news. There has been a 400% increase in IoT malware attacks in the past year alone, most aimed at manufacturers.
The bottom line is that IoT devices are really vulnerable.
IoT Device Penetration Testing
One of the fundamental principles of IoT security, and a feature of all frameworks and laws, is discovering and remediating exploitable vulnerabilities before cybercriminals do.
Testing is the only way to ensure the security of a consumer or business IoT device, whether installed in a car or a CT scanner.
SECFORCE has a dedicated IoT security testing team. Our team has the skill set to reverse engineer your IoT device’s binary and attack it just as real-world attackers would.
For over a decade, SECFORCE has helped IoT/OT device manufacturers meet industry and regulators' standards.
Contact us to discuss testing your IoT devices.