Back to the articles
An Overview of IoT Regulations - Checklist for UK PSTI, EU RED and CRA
Table of contents
- What is at stake?
- Europe is leading the effort on IoT cybersecurity regulations
- Requirements of the UK PSTI
- Requirements of the European Union Radio Equipment Directive (RED) Delegated Act
- Requirements of the European Union Cyber Resilience Act (CRA) – still in development
- How to get ready for compliance?
- A checklist for Europe
- In Conclusion
Jump to the downloadable version
What is at stake?
Today, more and more devices are connected to the Internet: our TVs, our fridges, our thermostats, and our vacuum cleaners. This is the Internet of Things (IoT) and it should make our life better. However, it comes with a downside: too many cyber attacks now target these insecure IoT systems: the Mirai botnet caused many websites to become inaccessible, baby monitors were used to harass families, users of connected thermostats could not heat their homes during a snowstorm because the Cloud was down.
If nothing changes, insecure IoT systems will continue causing real damage to our society. This is unacceptable and we cannot expect every IoT user to be a cyber security expert.
In the past few years, several governments have decided to enforce minimum cyber security requirements for IoT products. It is now the responsibility of IoT product manufacturers to secure their products to protect their customers and society.
In this article, we will look at two regulations and propose a checklist to ensure your compliance.
Europe is leading the effort on IoT cybersecurity regulations
The old continent has already passed several laws tightening cyber security requirements for IoT products. Manufacturers have little time to achieve compliance, with enforcement starting in 2024.
We focus on the European Union and the United Kingdom as they have been leading the regulatory effort in IoT product cyber security with two different approaches:
- The UK Product Security and Telecommunications Infrastructure bill proposes a high-level approach that should not cause disruption in the market. This IoT regulation will only apply to consumer IoT systems and should not be too difficult to align with.
- The European Union Radio Equipment Directive (and future Cyber Resilience Act) take a more technical approach, with regulations applicable to all IoT devices, including Industrial IoT (with some exceptions for the medical and the automotive sectors).
Requirements of the UK PSTI
The UK Product Security and Telecom Infrastructure Act (PSTI) mandates 3 requirements:
- Have no insecure default password;
- Implement a way to receive vulnerability reports;
- Commit to fixing cyber security issues for a given period.
The PSTI proposes a new approach to product security: it considers that cyber security must take place throughout the product lifecycle. For that purpose, the PSTI only addresses one major technical risk: the use of insecure default passwords. The other two requirements are processes-based and do not require extensive changes to implement.
Manufacturers of consumer IoT devices sold in the UK have until the 29th of April 2024 to achieve compliance or face a maximum of £10 million or 4 percent of the company’s global turnover (plus £20k maximum daily fines). The PSTI also introduced the personal accountability of company directors for non-compliance.
Requirements of the European Union Radio Equipment Directive (RED) Delegated Act
The European Union RED Delegated Act makes cybersecurity a core requirement for obtaining the CE label. Internet-connectable must:
- Protect devices from being used in cyber attacks, in particular, Denial of Service botnets (article 3.3.d);
- Protect the privacy of users, in particular by securing personal data and data recorded by microphones and cameras (article 3.3.e);
- Protect financial transactions they may carry over the Internet (article 3.3.f).
For that purpose, IoT manufacturers must implement cyber security requirements in their products. They can do this in two ways:
- By following the (future) harmonized European Standards (hEN) developed by CEN/CENELEC
- By demonstrating their compliance with recognized international standards (such as EN 303 645 for consumer IoT or ISA/IEC 62443-4-2 for industrial IoT) through a “Notified Body”.
A Notified Body will test the implementation of product cyber security in a repeatable manner for the cyber security requirements of the RED (3.3.d, e and f). They are experts in certification: they will use various techniques to ensure the products they test comply with the EU RED. You can find a list of them here.
Note: international standards are an important tool for regulatory compliance. They are usually written by cyber security practitioners and propose a generic approach applicable to many sectors. The EN 303 645 is already referenced by several IoT regulations.
Manufacturers of Internet-connectable devices sold in the EU have until the 1st of August 2024 to achieve compliance, or face a market ban due to the lack of CE label.
Requirements of the European Union Cyber Resilience Act (CRA) – still in development
The EU has also decided to make cyber security mandatory in all products with a digital element. For that purpose, the Cyber Resilience Act will impose cyber security requirements adapted to the product class.
It is expected that the CRA will also introduce important changes for IoT manufacturers:
- They have to implement mandatory cyber security requirements for their product class in order to access the EU market.
- They will not be permitted to release products containing known vulnerabilities.
- They must report exploited vulnerabilities and incidents to their regulator promptly.
- For higher product classes, where cyber attacks can create damage to our society, manufacturers must certify their products in accordance with the Cyber Security Act.
Note: consumer IoT products will most likely belong to the “default category” that mandates fewer cyber security requirements.
The CRA is currently not expected to become mandatory before 2026. However, manufacturers should start preparations now, because this regulation has more complex requirements that cannot be met overnight.
It will impose important penalties: up to 2.5% of global turnover or €15 million.
You can check out our dedicated article on the Cyber Resilience Act here.
How to get ready for compliance?
Manufacturers of IoT products must implement cybersecurity requirements to comply with these new regulations. However, it is important to remain pragmatic: most regulations prescribe similar cyber security requirements.
Our key advice is to consider compliance not as a final objective but as an incentive to take the first steps towards the cyber security of IoT products.
Because IoT cyber security goes beyond devices, including Cloud and mobile apps, our recommendation is to follow the ETSI EN 303 645 standard for consumer IoT. This standard is referenced by many regulations and it will make compliance easier. For Industrial IoT, manufacturers should look at ISA/IEC 62443-4-1 (for cyber security management) and 62443-4-2 (for cyber security capabilities in products).
A checklist for Europe
We will outline a checklist below to get you started. We have also prepared it in a sheet format so you can make a copy and start doing the right thing.
GET YOUR CHECKLIST HERE!
Once open, just click file - make a copy, and then it's yours to use.
Top priorities to ensure products can be released in 2024:
1. Avoid using insecure default passwords across all devices:
- Force users to change the default password at the first boot.
- For non-user services (admin), use random passwords per device or certificates.
- Remove all backdoors.
2. Keep products and end-users secure:
- Filter all input data against injection, in devices, mobile apps, and Cloud systems.
- Have a public point of contact to receive vulnerability reports. It can be an email or a webform.
- Commit to providing secure updates to fix security vulnerabilities. We recommend doing this for (at least) 2 years after the product end of life.
- Inform users of security updates. We recommend publishing an advisory on your website and notifying users via email and via the mobile app (if you have any).
To go further:
1. Integrate cyber security in your development process:
- Identify how cyber threats and risks can affect devices and systems before starting any development. Here is a quick evaluation guide for you.
- Always mitigate the top 3 risks to IoT: safety, privacy and mass compromise.
- Designate a cyber security expert to accompany you throughout product development.
2. Follow best practices to implement cyber security in your products:
- Look at fulfilling all mandatory EN 303 645 requirements.
- Use well-accepted references as support (ENISA, ISO, chip manufacturers).
- Use security assurance activities to verify your work throughout the development process (self-assessment, vulnerability scanning, penetration test, etc.).
3. Separate device and user identity:
- Ensure each device has a unique immutable identity, preferably protected by secure hardware.
- Ensure each human user (or admin) have their own identity.
- Use strong authentication for any critical function.
4. Protect secrets:
- Reuse the device secure hardware to store and protect secrets.
- Use key vaults to secure secrets in mobile phones and Cloud systems.
- Do not share API keys between devices or services.
- Rotate service API keys regularly.
5. Implement encryption securely:
- Always encrypt data in transit. Do not use insecure protocols (HTTP, Telnet).
- Encrypt personal and sensitive data at rest. The key must be stored securely.
- NEVER create your own crypto. It will fail!
- Reuse proven libraries, and make sure they are properly implemented.
6. Trust and verify:
- Always check if the user/service is authorized to perform an action, for example by verifying authentication tokens.
- If possible, avoid using passwords and prefer FIDO2 authentication.
7. Produce documentation:
- Inform users of sensors and data collected by the product.
- Explain what you do to secure users’ personal data (data protection policy).
- Inform users on cyber security functions and capabilities. You may do this directly in the product’s web interface, or via online user manuals.
- Ensure the product is secure by default, without user intervention. If not possible, document how a user can secure their product easily (use plain language!)
- Document your risks, your dependencies, and all important decisions, etc. internally. We suggest that product owners become the owners of this process, they must make sure it gets done. Developers and technical writers are actually creating and updating the materials. Last, but not least, cybersecurity teams of external auditors support and review the process.
8. Update firmware securely
- Sign all your firmware update .
- Verify the signature before updating products.
- Always encrypt firmware updates (at rest and in transit).
- Preferably, never publish update files online.
9. Consider resilience
-
Implement degraded modes: the device shall continue working with minimum functionalities in the event of an Internet outage.
-
Have a strategy to avoid network flooding when recovering from an outage.
-
Offer users the possibility to backup their system. Better, implement automatic backup (and secure them!).
In Conclusion
The situation might look daunting at first if you are a manufacturer facing these requirements, but if you take it step by step, it will actually become manageable. Take advantage of our checklist, start assessing the current situation, and discuss with stakeholders the next steps. We are always here to help you!