Terms of Use

Security Regulations and Standards  

A Quick Guide to IoT Security Regulations and Standards  

Establishing IoT security regulations and standards is a global issue

With the arrival of the IoT era, the number of IoT devices that contain sensitive and private information has soared. The security vulnerabilities and the threat of large-scale cyberattacks are growing exponentially. Without the protection of comprehensive laws to regulate IoT devices, we all risk the theft of our private information.  

 

In response, some nations have started to create regulations and standards. Notable examples include the United States, where the states of California and Oregon now require “reasonable security features” in IoT devices. In the United Kingdom, the nation has created a Code of Practice providing 13 guidelines aimed at protecting consumer privacy and safety.

 

While the topic of security garners more people’s attention, there are plenty of market segments growing in the field of security. Nowadays, IoT security is definitely one of the hottest topics around the world. As a result, many regulations and rules listed here are centered around this topic. This page is dedicated to those who are currently engaging in the security business and would like to gain a better understanding of IoT security.  

 

We are providing here a guide to the current rules around the world for your reference. Please be reminded that due to the global nature of the IoT market, it is necessary to understand the full range of potential applicable laws and standards including not only the IoT specific legal requirements in various nations for different industry sectors but also adhere to the appropriate security standards recommended for their target sectors.  

 

US – FIPS security level

The Federal Information Processing Standards (FIPS) are developed by the National Institute of Standards and Technology (NIST) and implemented by the US government to regulate information technology and computer security. The FIPS 140 series specify requirements for cryptography modules that all government technologies must comply to in order to protect valuable data.  Currently, the FIPS 140-2 version is being used while a new 140-3 issue will soon be implemented. The FIPS 140-2 defines the following four levels of security:

 

Level 1

The lowest level of security that meets basic requirement for specified cryptographic modules. However, there are no specific physical security mechanisms beyond basic requirements for production-grade components.

 

Level 2

Level 2 enhances the physical security measures of a Level 1 cryptographic module by requiring anti-tampering coating or seals so that they must be broken for physical access to the module. In addition, Level 2 requires role-based authentication for operators to perform services.

 

Level 3

Level 3 builds upon tamper-evident physical mechanisms and require mechanisms that can detect and respond to attempts at intrusion. These can include strong enclosures or tamper detection/response mechanisms that zeroes all plaintext CSPs when an attack is detected. Unlike Level 2, Level 3 security requires identity-based authentication.

 

Level 4

The highest level of security. In addition to security requirements from the previous levels, Level 4 security provides complete physical envelopment of the cryptographic module. Level 4 also detects and responds to all unauthorized attempts at intrusion, resulting in immediate zeroization of all plaintext CSPs. Furthermore, Level 4 security also protects environmental factors like fluctuating voltage or temperatures outside normal operating ranges.

 

Security Levels 1 and 2 are suited for regular IC chips and the basic infrastructure required of edge devices while Levels 3 and 4 are recommended for preventative server and system protection.

>>See more at:

FIPS 140-2 Security requirements for cryptographic

FIPS 140-3 Security requirements for cryptographic

FIPS 140-3 development

Global - Common Criteria (ISO/IEC 15408) 

Common Criteria (CC) is a standard for the verification of security products from the United States, the United Kingdom, Germany, France and Canada. It officially became an ISO international standard (ISO/IEC 15408) in August 1999 and is recognized globally as the highest level of certification for IT product security that’s validated by third-party laboratories. 

This standard for information security evaluation has been developed to specify security functional requirements (SFRs) and security assurance requirements (SARs). In v3.1 release 5, three main files were provided, namely 1. Introduction and general model and 2. SFRs and 3. SARs. As security becomes increasingly important, more companies and governments in Europe use (CC) certified products. 

 

Target of Evaluation (TOE) 

TOE is defined as a set of software, firmware and/or hardware possibly accompanied by guidance. 

Security Target (SE) 

An implementation-dependent statement of security needs a specifically identified TOE as well as a set of security requirements and specifications to be used as the basis for evaluation of an identified TOE. 

 

Evaluation Assurance Level (EAL) 

In CC, there are seven assurance levels. They are provided to identify how to evaluate products. The higher the evaluation assurance level is, the deeper the evaluation goes. Note that a higher EAL means that the evaluation completed a more stringent set of quality assurance requirements. For U.S. evaluations, only at EAL level five and higher do experts from the NSA participate in the analysis. Only at EAL level seven is full source-code analysis required.  

>> See more at C.C Portal and CISA 

EU - Cybersecurity Act 2019

 Since 2016, EU Network Information Security Directive (known as the NIS Directive) has been devoted to improving EU cyber-resilience, deterrence and defense. In June 27, 2019, the Cybersecurity Act was published and came into force. In essence, the Cybersecurity Act: 

 

  • Strengthens the European Union Agency for Cybersecurity (ENISA) by granting the agency a permanent mandate, reinforcing its financial and human resources and enhancing its role in supporting the EU to achieve a common standard for high-level cybersecurity. 

  • establishes the first EU-wide cybersecurity certification framework to ensure a common cybersecurity certification approach in the European market and ultimately improve cybersecurity in a broad range of digital products (e.g. IoT) and services. 

ENISA’s role has mainly been to provide expertise and advice rather than dealing operationally with cybersecurity. Until now this has been largely the competence of the Member States.  

ENISA also plays a key role in information and communication technologies (ICT) security certification for increasing trust and security in products and services that are crucial for the smooth functioning of the digital single market in the light of the increasing growth of the internet of things and connected devices.  

While there exists a number of different security certification schemes for ICT products, some are solo valid within their nations, ENISA has identified that multiple certification initiatives lead to the fragmentation of the single market. 

>> See more at EU Cyberact Org and Briefing on ENISA and a new Cybersecurity act 

 

US - NISTR 8295 (2nd draft) 

 

This second public draft of NISTIR 8259 adds measures for managing IoT cybersecurity and privacy risks.

 

In this draft, standard infrastructures are mainly for IoT device makers. In addition, for customers, the draft clarifies device cybersecurity capabilities and some information manufacturers may provide.  

Standard infrastructures include the following: 

  • Background on how manufacturers can help their IoT customers make devices more secure. This includes cybersecurity risk mitigation areas customers commonly need to address. 

  • Activities that primarily impact operations performed by the manufacturer before device sale. These activities include identifying expected customers and defining expected use cases, researching customer cybersecurity goals, determining how to address customer goals and planning for adequate support of customer goals. 

  • Activities that primarily impact operations performed by the manufacturer after device sale. These activities include defining approaches for communicating with customers regarding IoT device cybersecurity and deciding what and how to communicate with customers. 

 

  • A conclusion in the publication explores next steps for manufacturers or other stakeholders in the IoT ecosystem. 

>> See more at NISTR

US - UL Security Rating Levels  

 

The UL Safety Test Institute is a large non-governmental U.S. organization engaged in safety testing and identification around the world. It focuses on testing materials, devices, products, equipment, and buildings to prevent hazards to life and property. UL certification is non-compulsory in the U.S., and its scope does not include a product's EMC (electromagnetic compatibility) characteristics. 

 

The certification is aimed at ensuring products attain a fair level of security and protect personal health and property safety. 

Below is a synopsis of UL’s IoT security ratings. This evaluation process assesses critical security aspects of smart products against common attack methodologies and known IoT vulnerabilities to create a security baseline.  

 

Bronze – Essential 

  • No Default Passwords 

  • Secure Update Mechanism  

  • Secure Reset 

  • Secure Connections 

Silver – Enhanced 

  • Access Control 

  • Industry Privacy Best Practices   

  • Product Security Maintenance  

 

Gold – Advanced 

  • Stored and Transmitted Data Security 

  • Secure Out-Of-The-Box Settings  

  • Mobile App Security Maintenance  

 

Platinum – Extensive 

  • Known Threat Testing   

  • Malware Protection  

  • Permanent Log-in Prevention  

 

Diamond – Comprehensive 

  • Malicious Software Modification Detection  

  • Illegitimate Access Attempt Protection  

  • User Data Anonymization  

 

>>See more at UL EAL  

Article: UL IoT Security Rating System Ranks IoT Devices Security from Bronze to Diamond  

Article: New IoT Security Ratings a Positive Development for Internet of Things

EU - ETSI TS 103645  

 

In February 2019, the European Telecommunications Standards Institute (ETSI) released the ETSI TS 103 645 standard for the cybersecurity of consumer IoT products. This standard mainly regulates the safety of consumer devices and related services connected to the internet, including children's toys and baby monitors and internet safety-related products such as smoke detectors and other home appliances and wearable devices.

 

In essence, cybersecurity provisions for consumer IoT include: 

  • Elimination of universal default passwords 

  • A means to manage reports of vulnerabilities 

  • Regular software updates 

  • Secure storage of credentials and security-sensitive data 

  • Secure communications  

  • Minimization of exposed attack surfaces 

  • Safeguards of software integrity 

  • Safeguards of personal data  

  • Resilience for system outages 

  • Examinations of system telemetry data 

  • Simplification of consumer deletion of personal data 

  • Simplification of installation and maintenance of devices  

  • Validation of input data 

These provisions are all focused on improving consumers’ privacy, digital security and safety. They regulate those developing, producing and selling consumer IoT products.  

The initial draft of the ETSI standard are based on the “Code of Practice for Security in Consumer IoT Products and Associated Services” published in draft by DCMS in March 2018 as part of the “Secure by Design” report. 
 

>> See more at Specification 

Article: Securing consumer IoT devices: Why a global standard is needed

US - California SB 327《Security of Connected Devices》  

 

Beginning in 2020, to increase password security, California will ban the use of preset passwords in any IoT product manufactured and sold in the state. Every IoT product, including wearables, home appliances and network routers must have a unique password to prevent hackers from malicious intrusion. Also, any device able to connect to the internet directly or indirectly must be assigned a set of Internet Protocol addresses or Bluetooth addresses.

 

This is California’s first law for IoT devices. Still, some people have said the bill is too vague to cover all security issues such as authentication methods other than passwords. The content of this bill may be strengthened in the future to ensure that IoT products have better security. 
 

>> See more at Bill Text

Article: California’s IoT cybersecurity bill: What it gets right and wrong

US - Oregon State 《House Bill 2395》   

 

Like the California IoT device law, manufacturers are required to equip connected devices with security features to protect the connected device and the information stored from unauthorized access, destruction, modification, use or disclosure.  

 

The Oregon bill was based on California SB 327 to be compatible with existing regulations to improve commonality. But in the Oregon law, the scope is only focused on home devices. In addition, the definition of the device manufacturer is slightly different. 

>> See more at Bill Text

Article: Oregon Becomes Second State to Pass Internet of Things Data Security Law

UK - DCMS Code of Practice for Consumer IoT Security   

 

This UK code aims to improve the security of consumer IoT products and associated services. The guidelines describe practices that are widely recommended for IoT devices. They are aimed at protecting consumer privacy and safety, simplifying their secure use. 

 

The 13 guidelines in the code are as follows: 

  • No default passwords  

  • Implementation of a vulnerability disclosure policy 

  • Regular software updates 

  • Secure storage of credentials and security-sensitive data 

  • Secure communications  

  • Minimized exposure of attack surfaces 

  • Ensured software integrity 

  • Ensured protection of personal data  

  • Resilience of systems to outages 

  • Examination of system telemetry data 

  • Simple consumer deletion of personal data 

  • Simple installation and maintenance of devices  

  • Validation of input data 

>> See more at Code of Practice for Consumer IoT Security

Article: UK Government publishes its proposed Code of Practice for Security in Consumer IoT

Article: UK Cybersecurity Regulation in the Post-Brexit Era: Here’s What to Expect

Article: IoT security laws and standards you must know and get ready to adhere to

Article: The $6trn importance of security standards and regulation in the IoT era

Japan – The Basic Act on Cybersecurity and Its New Cybersecurity Strategy 

 

Japan’s Cybersecurity Strategy Headquarters (サイバーセキュリティ戦略本部) released The Basic Act on Cybersecurity in 2014 and revised it in 2016 and 2018 with regard to the development of technology. Along with the Basic Act, in 2018, the Japanese government has also issued its new Cybersecurity Strategy, which is the second Basic Plan for Cybersecurity under the Basic Act on Cybersecurity.

 

The Act on Cybersecurity, effective from 2015, is summarized as follows:

 

  • Setting basic principles of cybersecurity policy

  • Clarifying the responsibilities of the government, private entities and citizens

  • Stipulating a framework for cybersecurity policy including cybersecurity strategy formulation and the establishment of the Cybersecurity Strategic Headquarters.

 

The new cybersecurity strategy presents a basic position and vision for cybersecurity, objectives and implementation policies during three years (2018-2021) domestically and internationally. Three major policy approaches focus on achieving these objectives:

 

  • Enhancing economic vitality and sustainable social development

  • Building a safe and secure society for citizens

  • Contributing to the peace and stability of the international community and Japan’s national security

 

Note: The National Center of Incident Readiness and Strategy for Cybersecurity (NISC) was established in 2015 as a secretariat of the Cybersecurity Strategy Headquarters

 

>>See more at:

NISC website

Japan’s cybersecurity strategy

The Basic Act on Cybersecurity

 

© 2020 PUFsecurity  All Rights Reserved