Regulations and Standards in IoT Security: Innovation Versus Compliance

Security standards compliance on the Internet of Things (IoT) is not an easy task to tackle for regulatory bodies nor implementers. It requires tracking down current and future technological advances, standardizing secure hardware and software specifications, ascertaining the long-term industry requirements on a multileveled scale, and addressing infrastructure needs unique to IoT application scenarios. How can organizations hope to navigate this multifaceted task and prepare for the next wave of standards?

In short, there are three key forces that shape the overall IoT secure standards landscape. First, as expected given the high stakes, many technology companies invested in the IoT space (ranging from hyperscalers and silicon players) have thrown their hat in the ring proposing their own sets of guidelines for IoT security practices, creating a feedback loop between the industry and key standardization bodies. These are private organizations with enough influence and a vested interest in the development of communication and security technologies proposing policy guidelines for further consideration by regulatory and standardization bodies. These include companies like Microsoft, Intel, ARM, and more. Second, there are the industry alliances and consortiums comprised of major organizations across different technological spectrums, like GSMA for network operators or the Industrial Internet Consortium for industrial systems and device connectivity. Third, there are the national and international standardization bodies that ultimately develop and impose regulations and standards like the National Institute of Standards and Technology (NIST), International Organization for Standardization (ISO), Institute of Electrical and Electronics Engineers (IEEE), and Consumer Electronics (CE).

What are a few noteworthy examples of such IoT policy guidelines and what are the calculated risks that implementers need to keep in mind?

Private sector organizations: A first example comes from Microsoft. The firm showcases how it’s products and services can comply with an impressive list of guidelines and policy suggestions, both on an international and at a regional level. On top of providing dedicated support for IoT security and data privacy compliance in many diverse IoT deployments and cloud services on a global scale, the company also actively supports key standardization bodies like NIST for IoT management initiatives. Among other things, Microsoft’s initiatives includes silicon and hardware focused policies like: a) Project Cerberus which is a secure chip standard aimed at providing a secure Hardware Root of Trust for firmware for motherboards and devices using Microsoft’s CA (compliant with NIST 800-193) and attuned to Azure IoT; b) Microsoft’s Project Olympus, which focuses on an open-source hardware model for datacenters in order to streamline cloud integration (developed through the Open Compute Project).

On the chipset side of things, Intel’s Policy Framework for the IoT aims to tackle the security, interoperability, and communication transformation across the IoT. Intel has focused on three key applications in an effort to provide meaningful policy guidelines for stakeholders: automotive and transportation, healthcare, and energy and environment. Intel, in collaboration with NIST, has worked on Best Practices in Cyber Supply Chain Risk Management under the United States Resilience Project. While not specifically geared towards IoT security, it covers fraudulent network behavior, corrupted firmware and Trusted Platform Module (TPM) protocols for threat mitigation, and component security controls (which, arguably, is a hot topic for IoT device manufacturing which long-lasting effects found in its lifecycle management and ability to perform secure updates).

Industry alliances: Another noteworthy example comes from the Groupe Speciale Mobile Association (GSMA) who made a very promising attempt to list key factors related to digital security in its IoT guideline documentation including asset risk assessment, privacy considerations, server architecture in specific IoT applications like connected vehicles, and even business alignment with data protection and consumer trust in the IoT. This is not an extensive list and certainly does not cover every security model in its entirety but is certainly a very useful addition. The GSMA’s guidelines for endpoint ecosystems is also informative and indicative of the rapidly changing pieces and security challenges across endpoints, edge servers, and IoT gateways with high, medium, and low-tier security applications.

Standardization organizations: Although far too many to be covered in a single insight, key standardization organizations like the NIST have introduced a broad range of security guidelines that are developed to work as long as possible with future developments. Guidelines such as the risk management framework (RMF), which includes the vital NIST SP 800-53 for security and privacy controls for information systems and organizations, the general cybersecurity framework, the cybersecurity supply chain risk management (C-SCRM), and the digital identity guidelines which include Identity and Access Management (IAM), authentication, and lifecycle management are applicable to the IoT security ecosystem. Probably one of the most important developments, however, that will undoubtedly impact IoT vendors and implementers from 2022 onwards, is Internet of Things Cybersecurity Improvement Act of 2020 which passed last year and places the responsibility of IoT security standards development on NIST and the U.S. Office of Management and Budget (OMB). It is expected to strengthen the U.S.’s cybersecurity posture at a federal level, albeit with a fair share of disruptions for international partners that wish to do business with the U.S..

The problem with the introduction of new standards: Introduction of data and security regulations as well as standardization initiatives for IoT technologies has been simultaneously both welcomed and met with skepticism. On the one side there are the standardization entities, regulators, and governmental committees trying to tackle the rapid growth of networking and communication technologies, proliferation of connected devices, and associated cloud services, while still providing a reasonable outline of what security infrastructure and data protection should entail on the IoT. On the other side, a sizable percentage of device manufacturers, digital infrastructure, and IoT service providers also see the advent of new regulations counter-intuitive for the support of existing deployments and disruptive for the organic evolution of new technologies.

What to anticipate and how to adapt: It might be virtually impossible for implementers to constantly anticipate any new directions that regulations might encompass, forcing them to revise current and future deployments, and lose investments. The key argument is that the time it takes for regulators to understand, process, and weigh all relevant factors in order to designate priorities and create new regulations (or modify older ones), and as such, technological progress must be restrained or halted in order not to run afoul of these new requirements. Research and Development (R&D) initiatives will need to align with current compliance measures but still be on alert for new standard and regulatory developments, and the possibility for developing innovative solutions will be constrained. Nonetheless, it can be argued that the need to comply with new IoT regulations and standards gives rise to additional monetization options for security and cloud providers in the form of compliance management for IoT device and fleet management options, identity and access management for personnel, systems architecture, and overall infrastructure. For technology developers and service providers, the primary objective will be to understand the current state and evolution of IoT regulations and security frameworks, recognize the value of each new iteration, prepare compliance-ready solutions, and tie them to flexible monetization and pricing schemes.

ABI Research posits that, ultimately, all IoT standards will need to be developed with a subtle balance between the following factors: a) evaluation of the level of disruption of existing infrastructure and near-future deployments; b) consideration of the long-term evolution of concerned IoT application or verticals in a meaningful manner (e.g., across interoperability, connectivity, security, intelligence); c) enablement of R&D instead of simply limiting innovation across the board with new hardware or software regulations; d) creation of financial models to predict what will be the possible ramifications for top performers (regional or otherwise) and whether this might cause the industry unintended cost-cutting measures. Stakeholders involved in standards development must understand that any solution will not please all affected parties and so a fine balance must be found between ensuring the right amount of security that will not inhibit innovation.