Governmental concern about the security of IoT devices has been rapidly building in recent years, due to the widespread use of historically insecure devices across all forms of critical national infrastructure (CNI), such as smart cities, our healthcare services, and manufacturing plants.
As emerging technologies continue to shape and reshape the world around us, these sectors are particularly reliant on connected devices and are vulnerable to singular powerful cyber attacks that could bring the entire UK to a standstill. With the rate of cybercrime against these sectors skyrocketing, the risk is far from speculative.
Cyber resilience is more crucial now than ever before. IoT devices often act as the weakest link, providing entry points for cybercriminals to infiltrate and disrupt networks. Estimates indicate that 50 percent of device manufacturers shipped products with known vulnerabilities in 2020. Now governments are looking to raise the bar.
This is the driving force behind the EU Cyber Resilience Act. Now approved by the European Parliament, it will soon be law. It closely follows the UK’s PSTI Act but has broader implications for the European and non-EU tech community.
Once approved by The Council, entire IoT device supply chains will be responsible for the security of individual devices. Non-compliance prevents manufacturers and distributors from obtaining CE marks, forcing them to withdraw the product from the market and face fines of up to €15 million.
Time is ticking for the IoT industry to prepare for these upcoming regulatory changes. So where are we now?
Understanding the Effect
Distributors and importers must understand the legislation affects them; responsibility and accountability cannot be passed along. All involved in creating and distributing the device must accept responsibility for ensuring a ‘secure by design’ approach.
Current legislation means security is left as an afterthought. Enforcing “secure by design” with the Cyber Resilience Act is rewriting this norm. The Cyber Resilience Act requires supply chains to identify, document, and regularly test for vulnerabilities, ensuring ongoing security updates. In this way, security becomes an integral part of the device’s design and composition.
The CRA will impact both EU and non-EU countries, but the IoT industry must also appreciate that these changes won’t be avoidable by focusing efforts on alternative jurisdictions. There are 20+ countries currently in the process of debating the introduction of new IoT security regulations.
PSTI now enforces a minimum level of security for all internet-connected smart devices in the UK, banning manufacturers from using weak or guessable passwords.
The move towards boosting cyber resilience will be reflected globally. Elsewhere in the world, the US – one of the world’s largest markets – is debating the Cybersecurity Improvement Act, the first federal law to regulate the security of IoT devices.
Though there are plans to implement policies of mutual recognition to prevent stakeholders from jumping through hoops for compliance across different jurisdictions and enhance international cooperation: if they’re compliant with the CRA, they would be compliant with US regulation too.
Are We on Track for Legislative Change?
Manufacturers, importers, and distributors have 36 months to comply, with a 21-month grace period for incident reporting. The typical IoT device development lifecycle is 18 months, pressuring companies to start compliance efforts promptly.
Organizations must plan for an effort-driven adoption period, especially compared to legislation like the PSTI Act with easier compliance. They must consider the time to assess devices and their vulnerabilities, including sensitive data stored within them.
Then, how long it will take to implement new practices to achieve the standard of security required and eventually register the device as compliant?
Determining financial responsibility and implementing specific changes will be thorny challenges within the supply chain. The sheer volume of IoT devices in question poses another major challenge in the enactment of the CRA.
The rapid proliferation of IoT devices has meant that greater adoption of IoT security has been in the crosshairs of cybersecurity professionals for some time, bringing with it a need for significant financial and resource commitments.
On the flip side, non-compliance also carries huge financial ramifications and cannot be ignored. Breaking the CRA’s terms could mean fines up to $15 million, not including the costs of losing CE mark and product withdrawal.
No doubt adapting to the Cyber Resilience Act will be challenging for the IoT industry in the coming years. But there are a few things that can be done now to alleviate the weight of the change later on.
Preparing for the Act
Prepare for the IoT industry’s introduction to avoid larger financial issues from non-compliance later. They should seek expert advice, as it’s often difficult to know where to start when legislation is the first of its kind.
Finally, where possible, the industry should go beyond the minimum standard of security required by the CRA. As cyber criminals’ tactics grow more sophisticated, regulation will likely continue to tighten in response.
The Cyber Resilience Act signals the first step in global regulation of the software industry as a whole, ensuring businesses and consumers can be properly protected from modern-day cyber threats.