The shipping of IoT devices with inadequate or badly integrated security has slowed the uptake of comprehensive embedded device security. Due to a lack of restrictions, it has been up to manufacturers to decide whether, what, and how to apply device-level security.
Governments have nonetheless proposed rules to enhance the security of IoT devices in response to the increasing frequency and severity of hacking incidents. IoT device design and deployment in 2023 will be impacted by the rapid adoption of new standards and rules in 2022.
Automotive has been one of the earlier adopters of embedded cybersecurity with the advent of electric vehicles, autonomous driving, and software-defined vehicles. Even traditional internal combustion vehicles are increasingly connected and are prime targets for hackers. Last year saw the UNECE R155 automotive cybersecurity regulation come into effect for new vehicle-type approval. Aligned with the ISO/SAE 21434 standard, R155 requires the automotive supply chain to establish and certify cybersecurity management systems (CSMS), which are designed to assess risks, manage those risks through security by design, and secure each vehicle throughout its lifetime. Compliance with this regulation is a key focus for all auto manufacturers and suppliers in the European market. 2023 is considered a critical year to drive adoption across the automotive supply chain broadly
The US government is stressing IoT cybersecurity. Cybersecurity Maturity Model Certification (CMMC) standards and implementation of NIST SP 800-171 and 800-53 previously centered on IT security for federal and supplier networks. Still, now they encompass IoT devices that handle government-controlled unclassified information (CUI). Network-connected equipment must now have access and management controls and FIPS-validated encryption. Since the timelines for enforcing these rules are uncertain, providers of IoT devices to US federal enterprises should evaluate their goods and solutions to assure compliance.
The FDA updated its Cybersecurity in Medical Devices draft guidance for premarket submissions in 2022 to prioritize medical device security. Medical device safety and quality system rules emphasize cybersecurity. Threat modeling, software bill of materials (SBOMs), security by design, and lifecycle management are recommended for secure product development. The FDA recommends authentication, authorization, cryptography, code/data/execution integrity, secrecy, event detection/logging, robustness, and updatability. In December 2022, the Consolidated Appropriations Act empowered the FDA to regulate medical device cybersecurity. This regulation compels medical device manufacturers to provide security monitoring and maintenance plans, support device security lifecycles with software updates, and offer SBOMs for new devices. The FDA will issue new guidelines in 2023 after considering these requirements.
Consumer markets are prioritizing cybersecurity. The U.S. government is developing a Consumer IoT Product Labeling program to provide security capabilities, suggested setup, and long-term security upkeep for consumer IoT goods. In 2022, the Matter smart-home device interoperability and security standard were approved. Consumer semiconductors and smart-home device manufacturers support matter-compliant devices.
2022 also saw the enactment of the U.K. Product Security and Telecommunications Infrastructure Bill, which will require IoT device manufacturers to no longer use default passwords, confirm how long security updates will be provided after the device is launched, and disclose known vulnerabilities.
The EU has also taken steps to enhance security for all IoT devices sold in Europe, where security is currently not mandated. The proposed European Cyber Resilience Act mandates that IoT devices must have an “appropriate level of cybersecurity enabled in devices” by default configuration, prohibits the sale of products with known vulnerabilities, and requires the minimization of the impact of security incidents. Although the implementation of the necessary security measures remains to be determined, these are crucial initial measures towards promoting the adoption of widely deployed security controls for IoT devices in Europe.