Cyber Security

Cybersecurity of IoT devices: Security by Design – the clock is ticking

10th October 2022
Sheryl Miles

The concept of Security by Design was developed to mitigate risks of cyber-attack. This principle can be applied to many different types of system, including individual sensors or devices, integrated operational technologies, and industrial processes.

It also complements cybersecurity regulatory developments currently in place in different regions globally. However, while it may seem like common sense, the importance of the task and resources needed to attain good security should not be underestimated or left to a point too far down the Secure Design Lifecycle.

The first thing to consider is timing. It is imperative that this is done at the earliest possible point, ideally at the concept stage. If a device is connected to the Internet, it should be expected that it will be attacked and that it is a matter of ‘when’ not ‘if’ that attack will occur.

Many governments and industry institutions provide guidance and information to assist, highlighting the many security considerations. This includes minimising attack surfaces and privileges, to a design principle which could be termed ‘security after design’, which is provisioning of software updates, particularly when vulnerabilities are found.

One message that is clear across industry is that security issues must be fixed correctly and subsequently tested thoroughly. As standards develop globally, it will follow that adopting a good design principle should satisfy the requirements of individual standards and they are developed and implemented.

Regulatory requirements

Legislation has taken some time to pervade through government and industry but there have been some significant developments of interest. There is fervent cybersecurity activity from countries such as Singapore, Japan, China, Brazil. However, some countries have gone further. In the US it is already known that California and Oregon have introduced cybersecurity legislation for IoT devices.

The UK parliamentary legislation activity has now started with the Product Security and Telecommunications infrastructure Bill. At the time of writing, this is at the report stage in the House of Lords. So, we could see legislation being passed very soon in the UK, which will mandate products to incorporate good cybersecurity.

Probably the most significant cybersecurity news is that the expected EU Radio Equipment Directive Cyber Security Commission Delegated Regulation (2022/30) was finally cited in the Official Journal of the European Union in January and will be mandatory from the 1 August 2024. This is particularly significant as it means that the cybersecurity regulatory clock is now ticking, and that designers and manufacturers of connected radio products will have to demonstrate compliance in the relatively short time of two years.

Time is ticking on

This means that manufacturers must take steps now, as the addition of cybersecurity to the portfolio of compliance requirements is something that is quite a significant step shift. This is not simply another radio or EMC or electrical safety requirement, which are the traditional and typical compliance requirements of a radio connected IoT product and the norm to most manufacturers. It will be a much more complex requirement for manufacturers to incorporate into product design, testing and the compliance process.

However, we have observed that industry is very unprepared and is struggling to understand the complexities of demonstrating cybersecurity health from a compliance perspective. Why is this? Firstly, they have never done this before and as it is a very new, untrodden landscape for many manufacturers, the learning curve is steep. Another reason is that there may be several cybersecurity stakeholders of any IoT product design within the supply chain which need to co-ordinate to provide the necessary compliance evidence.

Another significant concern is that if some manufacturers do not possess the skillset to develop their own designs, they will incorporate third-party hardware or software components into their products. This could present a challenge when seeking to demonstrates compliance as they would have to rely on the third party to provide evidence which may not always be forthcoming. This example alone validates the need to implement the principle of Secure by Design, so that when selecting a third-party component in a design lifecycle, security compliance information can be provided.

If there is one conclusion or message for manufacturers or custodians of a connected IoT device, it is quite simply ‘act now!’. As governments across the globe implement cybersecurity measures, history has shown that transition periods dissipate fast – resulting in manufacturers placing non-compliant products on the market which will open them up to enforcement action.

Joe Lomako, Business Development Manager (IoT) at TÜV SÜD, a global product testing and certification organisation.

Featured products

Product Spotlight

Upcoming Events

View all events
Latest global electronics news
© Copyright 2023 Electronic Specifier