IoT Cybersecurity Landscape in 2024

In 2022 IoT faced over 112 million cyberattacks, jumping up from 32 million in 2018. The rapid growth of IoT technologies is going along with cyberthreats. As a result, countries and regions are introducing specific regulations to provide IoT cybersecurity for devices and valuable data. Let’s dive in some of the examples, including EU, US, UK, and Singapore, how they impact businesses and consumers, and what’s the relation of firmware software updates within IoT project security. 

The European Union and IoT Regulations 

The General Data Protection Regulation (GDPR) 

The GDPR was introduced on May 25, 2018. It provides a specific standard for data security in the European Union and Great Britain, focusing on data privacy. GDPR mandates that organizations secure personal data collected by IoT devices, implement privacy by design, and ensure data subjects' rights. They have brought strict penalties for the lack of compliance as a model of many protection goals worldwide.

Learn more

The Cybersecurity Act 

The Cybersecurity Act, which was implemented on June 27, 2019, delivers a framework for certifying the cybersecurity of ICT products and services within the European Union. The act intends to reduce the risks of cyber-attacks aimed at IoT by providing higher security standards and transparency about the security levels of certified products. The EU Cybersecurity Agency (ENISA) contributes a lot in cybersecurity IoT protection, offering resources and support to member states and businesses.

Learn more

The Cyber Resilience Act 

The Cyber Resilience Act (CRA) is a recent European law focusing on the security of digital devices. This includes everything from baby monitors to smartwatches. The CRA deals with two main problems: lack of proper security features or updates and difficulties with knowing if a product is secure. Therefore, the new regulation can: 

  • Create consistent rules across the EU for selling devices with digital components. 

  • Set mandatory cybersecurity requirements for IoT manufacturers and retailers. 

  • Require manufacturers to prioritize security throughout the design and production process. 

Learn more.  

The NIS Directive and NIS2 

The original NIS Directive aimed to achieve a high level of cybersecurity for critical infrastructure and essential services. The NIS2 Directive, effective January 2023, expands the scope to include more sectors and entities, harmonizing cybersecurity measures across member states. This is achieved through several key measures: 

  • EU regions are to set up dedicated cybersecurity resources, such as a Computer Security Incident Response Team (CSIRT) and a competent national authority. 

  • Cooperation Groups promote information exchange and strategic cooperation among member states. 

  • The directive targets critical sectors, such as electricity, transport and logistics, that depend a lot on information and communication technologies (ICTs). The service providers within these sectors need to involve specific security measures and report issues to the national authorities. Furthermore, the digital service providers, such as search engines and cloud services, will also need to comply with the directive's security and reporting requirements.  

Learn more

The United States and IoT Security 

The IoT Cybersecurity Improvement Act of 2020 

Signed into law on December 4, 2020, this act mandates that IoT devices procured by the federal government meet minimum cybersecurity standards set by the National Institute of Standards and Technology (NIST). These standards include NIST Special Publications 800-53, aimed at control of information systems, including access control, incident response, and system protection, and 800-183, which focus on security and privacy considerations for IoT devices. The act specifies that IoT devices must have unique identifiers and robust authentication (Identity Management), strong encryption for data at rest and in transit (Data Protection), procedures for timely and secure updates (Patch Management), and secure configurations (Configuration Management).

Learn more

Executive Order 14028 

Executive Order 14028 intends to assist both the US government and the private sector in better security from cyberthreats. The established framework clarifies how to improve IoT cybersecurity in America and offers solutions. For instance, EO 14028 requires organizations to set 3 three measures such as scanning application code, creating a software bill of materials (SBOM), and securing the development process.

Learn more

California’s IoT Security Law (SB-327) 

Effective January 1, 2020, the law requires IoT device manufacturers to enable reasonable security features appropriate to the device function, data collected and transferred; is designed to protect data and hardware from any kind of unauthorized access, destruction, or disclosure. SB-327 describes IoT devices as any object capable of connecting to the internet, including home devices like smart thermostats and wearables. Manufacturers selling in California must comply with the law's provisions, ensuring devices meet security standards. Non-compliance can lead to enforcement actions by California's Attorney General or local district attorneys.

Learn more

State Privacy Laws 

Several states, such as California and New York, have introduced their own data privacy laws. The California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) power up consumer privacy rights and security by giving rights to know, remove, and opt-out of data collection, and introducing security for sensitive data. New York's SHIELD Act implies IoT cybersecurity programs for businesses tackling New York residents' data.

Learn more

The United Kingdom: Aligning with Global Standards 

The Product Security and Telecommunications Infrastructure (PSTI) Act 

The UK has recently introduced the PSTI with new product safety requirements for connected devices, including IoT devices such as smart speakers, connected devices, and certain products for computer operation as well as provides updates on the UK's telecommunications infrastructure regime. The act contains 2 major parts: 1) for connected devices and 2) amendments to the UK Electronic Communications code. According to the act, IoT device manufacturers must provide clear information on support periods, ensuring consumers are informed about the duration of security updates and technical support for their devices. Furthermore, the PSTI Act requires manufacturers to implement robust procedures for reporting security issues, facilitating prompt responses to vulnerabilities, and enhancing the overall IoT cybersecurity ecosystem.

Learn more

Singapore & IoT Security in Asia-Pacific 

The Cybersecurity Labelling Scheme (CLS) 

The Cyber Security Agency of Singapore (CSA) has introduced the Cybersecurity Labelling Scheme (CLS) for consumer connected devices, in order to enhance IoT protection practices. This scheme implies the following: smart devices are rated according to their levels of cybersecurity, which shows consumers the products with better or worse security before they choose them. In addition, CLS assists manufacturers with standing out in the competition and develop better protected devices and solutions. CLS involves the following mutual recognition agreements: 

  • Finland. A Memorandum of Understanding (MoU) allows mutual recognition of cybersecurity labels between Singapore and Finland, facilitating compliance and market access. 

  • Germany. A Mutual Recognition Arrangement (MRA) with Germany ensures that devices certified under Germany’s IT Security Label are recognized under Singapore’s CLS, promoting streamlined certification processes. 

Learn more

Regulatory Requirements for Software Updates 

Obviously, specific requirements differ from region to region. However, there are also common technical aspects across many cybersecurity acts. Let’s go through those that apply to most of them: 

  • Secure coding. Memory sanitization, input validation, and secure libraries can be striking examples of the practices. 

  • Cryptographic requirements. Cryptographic algorithms are often required by acts and bills as this is one of the major directions within data encryption and dealing with evolving threats. 

  • Secure updates protocols. HTTPS and TLS protocols for updates delivery are specified in many regulations. This includes Over-the-Air (OTA) updates for secure firmware and software updates to IoT devices. 

  • Digital signing. Cryptographic updates signing will likely be a requirement across many regions to ensure authenticity and prevent unauthorized access during data transfer. 

  • Secure boot and rollback protection. Some regulations might require these features to prevent malicious firmware installs or manipulating the updates. 

Find out more detailed information about IoT updates and top players. 

The Role of Over-the-Air (OTA) Updates in Cybersecurity 

Over-the-Air (OTA) updates play help to maintain cybersecurity under the evolving regulatory landscape. These updates deal with vulnerabilities, bugs, and often imply performance improvement. Here's how OTA updates provide security: 

  • Vulnerability patching. OTA updates deliver code changes that address identified vulnerabilities, mitigating the risk of exploitation by malicious actors. 

  • Cryptography updates. Updates may introduce new encryption algorithms or patch weaknesses in existing ones, strengthening data protection mechanisms. 

  • Bug fixes. OTA updates can resolve software bugs, which make the system more vulnerable and unstable. 

Cybersecurity regulations encourage manufacturers to use efficient and secure methods for updates, motivating them to prioritize OTA updates as a fundamental aspect of their IoT cybersecurity approach. This guarantees that users receive the most recent security patches. Explore more about OTA updates in our Knowledge Base. 

How OTA Updates Relate to Regulations: Mendor’s Example 

Many companies like Mender can help IoT providers to build resilient ecosystems that protect users, save resources, and control IoT projects in real time.  Let’s go through the details on how Mender’s OTA updates function within the key regulations: 

Regulation 

Key Requirements 

How Mender Addresses 

 Cyber Resilience Act (CRA) 

 

Mandatory security updates 

Prioritize security throughout lifecycle 

Secure updates with HTTPS, TLS, and digital signing 

Secure boot and role-based access control (RBAC) 

NIS Directive/NIS2 

 

 

 Robust security measures for critical infrastructure  

Harmonized security measures across member states  

Timely vulnerability disclosure  

Secure updates, secure boot, RBAC 

Centralized management console for geographically dispersed devices 

Streamlined patch deployment with automated campaigns 

UK's PSTI Act 

 

 Secure update mechanisms  

Clear information on support periods  

Secure updates with HTTPS, TLS, and digital signing 

Streamlined patch deployment 

California's IoT Security Law (SB-327) 

Standardized security practices 

Enforces secure coding practices throughout update lifecycle  

GDPR 

User control over data 

Transparency tools for communicating update information  

IoT and cybersecurity are inseparable. The growing number of cybersecurity acts reflects a global commitment to secure software development and update practices. Implementing the necessary technical safeguards, manufacturers can not only achieve compliance but also demonstrate their commitment to building trust with their users in the interconnected world.