Is the EU and UK Ahead of the US on IoT Device Security?

Internet of Things – Digital Transformation  

Merriam-Webster’s definition of the Internet of Things (IoT) is, “the networking capability that allows information to be sent to and received from objects and devices (such as fixtures and kitchen appliances) using the Internet”. In 1999 Kevin Ashton coined the term and since then we have seen the expansive growth of IoT and while these devices have been around for decades, the regulations on these devices still remain ineffectual.

And, while IDC estimates that there will be 41.6 billion connected IoT devices, or “things,” generating 79.4 zettabytes (ZB) of data in 2025, we still are not able to properly build IoT devices with security in mind.

The United States  

Recently, a bipartisan bill, the IoT Cybersecurity Improvement Act, from Reps. Will Hurd (R-Texas) and Robin Kelly (D-Ill.), along with Sens. Mark Warner (D-Va.) and Cory Gardner (R-Colo.) was passed by the House but now must go to the Senate before hitting the President’s desk. The bill took more than three years to get to the House of Representatives and in that time more than 6 billion IoT devices entered the market.

While the bill would set the minimum security standards for IoT devices connected to federal networks, it would also require the National Institute of Standards and Technology (NIST) to set best practices for device security, the Office of Management and Budget to create guidance for agencies to meet, and require the Department of Homeland Security to publish guidance on coordinated vulnerability disclosures for contractors and vendors.

The Food and Drug Administration (FDA) is trying to achieve medical device security and makes it well known on their website what they aim to accomplish:

The U.S. Food and Administration (FDA) regulates medical devices and works aggressively to reduce cybersecurity risks in what is a rapidly changing environment. It is a responsibility the Agency shares with device makers, hospitals, health care providers, patients, security researchers, and other government agencies, including the U.S. Department of Homeland Security and U.S. Department of Commerce. 

The FDA provides guidance to help manufacturers design and maintain products that are cyber secure. And on behalf of patients, the FDA urges manufacturers to monitor and assess cybersecurity vulnerability risks, and to be proactive about disclosing vulnerabilities and solutions to address them. 

The medical device cybersecurity guidance by the FDA was last updated in 2018. While they release a list of vulnerabilities, their guidance points organizations to the MITRE Corporation’s Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook in which they were a contributor.

Much like with regulatory compliance standards around sensitive data, in the United States the individual states are leading the charge again. California and Oregon have enacted legislation that mandates that manufactures that supply IoT devices do so with “reasonable security features.” In addition to California and Oregon, eight additional states are considering legislation.

The United States is likely to not see real meaningful regulatory compliance standards for IoT devices until the impact has already hit most organizations and homes. Compare that to the European Union (EU) and what they have in place and are working to put in place.

The European Union (EU) 

The EU in June of this year introduced a new cybersecurity standard for consumer IoT (ETSI EN 303 645 V2.1.1) products. With the hopes of better security practices and more manufactures adopting a security-by-design principle when developing new connected consumer products.

The standard consists of 13 provisions:

• No universal default passwords
• Implement a means to manage reports of vulnerabilities
• Keep software updated
• Securely store sensitive security parameters
• Communicate securely
• Minimize exposed attack surfaces
• Ensure software integrity
• Ensure that personal data is secure
• Make systems resilient to outages
• Examine system telemetry data
• Make it easy for users to delete user data
• Make installation and maintenance of devices easy
• Validate input data

In addition to ETSI EN 303 645 V2.1.1, the EU also explicitly addresses medical devices in the European Medical Device Regulation (EU MDR). Much like the US FDA’s UDI, it seeks to ensure high standards of quality and safety for medical devices being produced in or supplied into Europe. With the introduction of this directive, devices entering the EU will have:

• Stricter pre-market control of high-risk devices at an EU level
• The inclusion of certain aesthetic products which present the same characteristics and risk profile as equivalent medical devices
• A new risk classification system for diagnostic medical devices based on international guidance
• Improved transparency through the establishment of a comprehensive EU database of medical devices
• Device traceability through the supply chain from its manufacturer through to the final user
• An EU-wide requirement for an ‘implant card’ to be provided to patients containing information about implanted medical devices
• the reinforcement of the rules on clinical data and clinical studies on devices
• Manufacturers to collect data about the real-life use of their devices
• Improved coordination between EU Member States

And, now with Brexit, what happens with the United Kingdom (UK) come December 31, 2020 and the IoT regulatory compliance standards? While the UK remains subject to EU law, it is no longer part of the EU’s political bodies or institutions. Will the Department for Digital, Culture, Media & Sport (DCMS) serve as the governing body for IoT device security?

The United Kingdom (UK) 

In June of 2020 the UK DCMS addressed the need for cybersecurity as a fundamental instrument in the building of IoT devices, they are enacting a product assurance schema to mark approved IoT devices with an assurance label or kitemark that demonstrates that the product has undergone independent testing or a robust and accredited self-assessment process. The ultimate goal would be that consumers of IoT devices would purchase approved devices, rather than those that are not, and that retailers would only sell approved devices.

DCMS has been taking forward multiple initiatives to address the matter, including:

• Publishing the Code of Practice for Consumer IoT Security 
• Committing to taking forward new legislation to mandate core aspects of the Code
• Leading the development of industry standard ETSI EN 303 645 

“The UK Government looks forward to continuing to work with industry and all interested stakeholders to ensure that the UK is the safest place to be online.” 

While the EU and UK continue to lead the charge in regulatory compliance standards to protect citizen and resident data, it is also years ahead of the US in addressing IoT device security. The fundamental issues still remain. Can we create a global culture where we put securing our data first, both from properly building IoT devices and then by holding device manufactures accountable in our procurement of devices?