IoT devices have integrated seamlessly into both our technological landscape and societal fabric. The proliferation of IoT devices is experiencing exponential growth, with billions already deployed in residences and workplaces worldwide. Individuals are encompassed by sensors, actuators, and routers, which continuously observe external stimuli, respond with logical actions, and relay notifications to users. To illustrate the scale of this phenomenon, Gartner’s projections suggest a substantial increase from 8.4 billion connected devices in 2017 to an anticipated 20.4 billion devices by 2020, surpassing threefold the global human population.
The European Cyber Resilience Act (CRA) establishes a legal framework that sets out cybersecurity requirements for hardware and software products containing digital components within the European Union market. Manufacturers are now obligated to prioritize security throughout the entire lifespan of their products.
In today’s interconnected environment, digital hardware and software products are highly susceptible to cyberattacks. A breach in one such product can have far-reaching consequences for an entire organization or supply chain, crossing borders and swiftly impacting the internal market.
Before the implementation of the European Cyber Resilience Act, existing measures at both Union and national levels failed to adequately address identified cybersecurity issues. This resulted in a fragmented regulatory landscape within the internal market, causing uncertainty for both manufacturers and users and imposing redundant compliance obligations on companies producing similar types of products.
The cross-border nature of these products emphasizes the need to tackle two critical issues:
The widespread cybersecurity vulnerabilities and the inconsistency in providing security updates, indicating a generally low level of cybersecurity across digital products.
The limited understanding and access to relevant information by users, hindering their ability to make informed decisions regarding product selection and secure usage.
Under specific conditions, any product containing digital components integrated into or connected with larger electronic information systems can serve as a potential entry point for malicious actors. Consequently, even seemingly less critical hardware and software may facilitate initial compromises, giving adversaries privileged access to systems or enabling lateral movement across networks.
According to Pier Giorgio Chiara:
“This perspective, defined elsewhere as ‘infraethical’’ [20], is acknowledged by the CRA Proposal: “by protecting consumers and organisations from cybersecurity risks, the essential cybersecurity requirements laid down in this Regulation, are also to contribute to enhancing the protection of personal data and privacy of individuals”Footnote 89. In other words, cybersecurity can also be conceived as an instrumental value necessary to uphold fundamental values, such as fundamental rights and liberties and physical safety.” (https://link.springer.com/article/10.1365/s43439-022-00067-6)
In the US The Federal Communications Commission (FCC) has launched a voluntary initiative to label cybersecurity for wireless consumer Internet of Things (IoT) products. This program, known as the “U.S. Cyber Trust Mark,” aims to raise consumer awareness and motivate manufacturers to meet rigorous cybersecurity standards. Through this initiative, qualifying smart products will bear a label indicating compliance with stringent cybersecurity criteria. This effort empowers consumers to make well-informed purchasing choices, identifies dependable products in the market, and encourages manufacturers to uphold higher cybersecurity standards.
Key features of the program include:
- Affixing the U.S. Cyber Trust Mark logo to IoT products that meet the program’s cybersecurity standards.
- Accompanying the logo with a QR code, offering accessible details about the product’s security features, such as support duration and automatic software updates.
- FCC oversight of the program’s execution, including providing guidance on label usage and accrediting labs for compliance testing.
- Conducting compliance testing through accredited labs to ensure adherence to cybersecurity standards.
- Encompassing a broad range of IoT devices, including home security cameras, voice-activated assistants, internet-connected appliances, and fitness trackers.
Additionally, the FCC is seeking public input on potential disclosure requirements, such as the origin of a product’s software from countries with national security concerns and the routing of customer data to servers in such countries.
This initiative addresses the mounting cybersecurity risks associated with IoT devices, as projections anticipate billions of connected devices by 2030. By promoting transparency and accountability, the program aims to instill consumer confidence in IoT products, thereby ensuring safer and more reliable connected experiences.
asvin applauds both schemes as it has a long history of seeing #economics and convenience play a central part in practices like 0000 or 1234 passwords on devices that, as both the CRA and the FCC stress can b become mission critical in a fully connected world. People still seem to think that the Internet of Things is a term from 2000, whereas it is way older, going back to automation in the 19fifties, pervasive computing in the 80s, ubicomp in the 90s and Ambient Intelligence (2000). The process of connectivity itself has been going on for a long time.
asvin provides a secure firmware update solution for IoT devices, enabling manufacturers, service providers, and end-user organizations to efficiently oversee devices and their firmware, and implement over-the-air updates. Presently, unaddressed vulnerabilities in IoT devices act as entry points for diverse cyber attacks such as DDoS attacks, ransomware, hijacking, and data theft. Updating insecure IoT systems is comparable to administering treatment to sick patients; there’s a growing necessity to consistently address infected or insecure devices within the Internet of Things environment.
Earlier we predicted this focus on the device and the CE mark as the moment to address security concerns alongside electrical safety.
In Europe, we have also lost control over infrastructure (privatized) and data platforms (GAFA), and are rapidly losing agency on AI, as it has no data lakes and worse, no broad vision on the digital transition. Of course, both the United States and Europe would do better if they were to build their own cybernetic systems, taking firm control over identity (of humans, goods, objects and robots). The EU has rapidly developed a multi-level cybersecurity policy and this policy should be one of the major references for problem-solving in the current IoT world.
This may mean that existing devices will need to be monitored by some form of agency. Ideally, security tests and the education of the market will take place at the moment the device is tested for the CE mark, which indicates conformity with requirements in the EU: “To place a CE Mark on electrical products to be legally sold on the European Market, a manufacturer has to be able to demonstrate compliance with the applicable EU regulations and directives including: the Low Voltage Directive (LVD) 2014/35/EU; Machinery Directive 2006/42/EC; Medical Devices Directive (MDD) 93/42/EEC; and In-vitro Diagnostic Medical Devices Directive (IVDD) 98/79/EC.” (Volume 2(1), 63-68. https://doi.org/10.46386/ijcfati.v2i1.36
(The Cybersecurity Aspects of New Entities Need a Cybernetic, Holistic Perspective Rob van Kranenburg, Gaelle Le Gars, https://theinternetofthings.eu/wp-content/uploads/2022/12/Cyberforensics_vankranenburg_legars.pdf)
The focus on the device now has become the focus for European and US policymakers. It shows how serious the capabilities of Internet of Things are finally taking. If you are aable to make a digital twin out of everything enhanced with AI there comes a moment when the digital counterpart of the twin starts to act in the real world. The world thus becomes hybrid. And where are the rules for such a world? They need yet to be written. Therefor the policy focus on the device is so logical and timely. Through security at device level we are entering a new realm. where industry and policy both have an important role to play. This is the rationale for our Device Security Booster. Asvin’s Device Security Booster leverages the inherent properties of Distributed Ledger Technology (DLT), such as decentralization, immutability, smart contracts, consensus, and security, to ensure integrity and trust in IoT data. All critical metadata is stored on a distributed ledger and governed by smart contracts. Every event in the IoT device lifecycle, such as device registration, firmware registration, device updates, firmware updates, and decommissioning, is recorded on the distributed ledger. These transactions are linked with hashes and stored in blocks, which are further secured by cryptographic hashing, ensuring the security and immutability of the ledger. Importantly, our customers have the flexibility to integrate DLT according to their preferences. DLT integration is an optional feature, and the solution operates independently of DLT. Moreover, if customers opt for DLT integration to enhance transparency and traceability, they can choose their preferred DLT solution, as Device Security Booster is DLT agnostic.
Typically, we arrange comprehensive technical workshops with our clients to delve into their deployment environment and aid them in setting up the Device Security Booster according to their preferred configuration. The key attributes of deploying the Device Security Booster on-premises include:
Control: Clients maintain full authority over their IT infrastructure, covering hardware, software, security settings, and data management policies. This grants them the capability to oversee device and firmware data in alignment with their specific needs.
Customization: On-premises deployment allows for tailoring the Device Security Booster’s infrastructure components, disaster recovery and backup strategies, and deployment timelines to suit the individual requirements of our clients.
Compliance: Deploying on-premises offers enhanced control over regulatory and compliance mandates, as well as data governance, ensuring that clients can adhere to pertinent standards and regulations.
Integration: It facilitates seamless integration of the Device Security Booster with existing on-premises systems and procedures, ensuring harmonious compatibility and interoperability with our clients’ current infrastructure.
It is often said that regulation hampers innovation, but in this case, it is a much-welcomed set of new rules that will make a new levelled playing field for everyone.