|
|
|
www.design-reuse-embedded.com |
|
Ensuring security legislation compliance in IoT applications
This article will explore the road to developing secure devices by introducing the 13 Best Practices of IoT security and how they can be implemented in IoT applications to assure legislation compliance. The 13 best practices include no default passwords, a secure update mechanism, end-of-life policies clearly communicated to customers, and more. While the legislation globally is evolving, we know that it will include steps similar to the 13 best practices. Once these are implemented, it should in theory be easy to adapt to whatever additional requirements may be imposed by European EN 303 645 [1] and the evolving US Cybersecurity Improvement Act (NISTIR 8259) [2].
www.embedded.com/, Oct. 18, 2023 –
IoT Security
Security is critical to enabling devices to work together in trusted networks, to share personal data within a network, and to enable private operation with cloud services. Similarly, a secure foundation is required for managing updates and procuring.
IoT device vendors realize that the value of their IP is equal to the value of their business. The possibility of IP theft is very real. In fact, the European Union estimates it may be as high as $60 billion per year according to the latest protection and enforcement of Intellectual Property Rights (IPR) report [3]. In addition to the economic consequences, this IP theft has a potential impact on about 300,000 jobs in the EU alone.
Consumer protection is driving standards and security legislation around the world. For example, consumer electronics shipped to Europe must comply with the European standard EN 303 645. In addition, IoT devices are subject to the privacy legislation outlined in the GDPR regulations. This includes a clear obligation to protect the user's personal data and ensure that it can be deleted during the life of a product or if it is sold or passed on. Likewise, all data supplied as part of a service, even if simple as the voice command to a coffee machine, falls within the scope of this legislation.
GDPR provides clear penalties for infringements, with a minimum penalty of €20 million, which can amount to 4% of the company's total sales if the company is found to be purposefully delinquent.
Consumer Legislation
The pressure on the consumer IoT market to comply with security standards is increasing with the advent of EN 303 645 and the US IoT Cyber Security Act (NISTIR 8259). However, this is not only limited to the IoT consumer, as regulations are evolving rapidly in other markets, such as the IEC 62443 requirement for Industrial IoT (Industry 4.0) and similar requirements in the medical and automotive sectors.
The EN 303 645 and US Cybersecurity Improvement Act are very similar and trace their roots back to the work of the IoT Security Foundation [4].
The IoT Security Foundation is a successful industry forum that grew out of the need to identify existing "best practices" or the Code of Practice for security and how this should be applied to emerging IoT challenges.
The ambition of the Code of Practice for Consumer IoT Security is to provide guidelines on how to achieve a secure by design approach during development, production, and maintenance of IoT products during the entire life cycle.The practices bring together what is widely considered best practices in IoT security.
Back
Contact Us
Partnership Offers