Compliance & Safety How IoT device developers can prepare for tightening cybersecurity legislation Compliance & Safety The number of IoT devices is growing in leaps and bounds, but unfortunately, the devices are often badly protected. As a result of tighter information security and cybersecurity requirements in the EU and US markets, device developers are faced with new challenges and in need of more resources. If your capacity to respond to the new requirements is limited, relying on the expertise of an external partner might be an option worth considering. Share this story: Many still remember the WannaCry attack two years back. The malware caused trouble worldwide, most in the UK, where the cyberattack hit the NHS. High-profile attacks such as WannaCry are serious and make global headlines almost without exception. In reality, these attacks occur much more frequently than one could imagine based on the news. The motives of cyberattacks vary. Some want to cause damage to the devices or the infrastructure around them, while others have their eye on the valuable information contained in the device with a view to selling it or to otherwise using it to serve the attacking party’s interests. Hijacking a device, a network or a piece of information can enable extortion. Sometimes a cyberattack may be motivated by simple curiosity. There are a lot of IoT devices out there, and their number is growing at an exponential rate. The sad truth is that many of the devices are badly protected. Vulnerability risks are at their highest when a device is safety critical or linked to infrastructure that is critical for society. Also, vulnerabilities in devices containing people’s personal data cannot be tolerated. If one or more of these criteria is met, the IoT device developer must be exceptionally well aware of the current and future requirements of cybersecurity and information security legislation. EU and US requirements tightening In the European Union, hard law still leaves room for interpretation: in the case of health technology devices, for instance, legislation and regulations simply dictate that they must represent the state-of-the art technology in terms of information security and cybersecurity. Parallel to hard law, there is soft law that encompasses device-specific standards and certifications. They define how cybersecurity must be built into the devices and what the devices should be like in terms of software architecture. Standards, however, are not always mandatory. State-of-the-art technology and voluntary certification will not suffice for very long in the EU. The EU’s General Data Protection Regulation, for example, has put information security and cybersecurity on the table. While no actual decisions have been made as of yet, IoT device cybersecurity certification is very likely to become mandatory already in the 2020s. The United States, another important market area, is a step ahead of the EU when it comes to hard law. The US Food and Drug Administration (FDA), for example, is substantially tightening its cybersecurity requirements for health technology devices. US requirements on IoT technology related to self-driving cars and all IoT devices purchased by state institutions and government agencies are also becoming more stringent. These requirements mean that device developers will have to start complying with cybersecurity standards and the software development and testing methods defined therein. In addition to software design, the lifecycle management of software is also gaining a bigger role. The potential vulnerabilities of IoT products must be monitorable, and any detected vulnerabilities must be reported and repaired as required. Companies’ readiness to respond to challenges varies Responding to the above-mentioned changes will require more resources from companies. One thing is certain: demand for cybersecurity know-how will explode in the next few years. Depending on the company, the change that this will entail could be quite dramatic. In large international companies, working with standards is already probably business as usual and conformity aspects have long been taken into account as a routine part of software development. They are likely to be able to draw on their in-house expertise, in which case the impact of the tightening requirements will only boil down to a few more provisions to consider. Smaller companies may, however, be less prepared to respond to the new requirements, even more so in sectors where standards traditionally play a less prominent role. In that case, the upcoming changes may be new to the companies and so sudden that they find themselves unable to react quickly enough. This can lead to delays in launching new products to the market. If a company has limited readiness and is a stranger to software design and implementation, an external partner can serve as a guide in the midst of the changes. In these kinds of projects, Etteplan will provide guidance to its customer’s software team and help ensure that the required cybersecurity capabilities are built into the product during the process. The customer’s software team will become acquainted with the key cybersecurity requirements and standards during the course of the project. Ready-made development platforms available on the market, which take into account the requirements of the various standards, are also a good option. For example, Etteplan’s partner ARM offers an excellent software development platform – ARM Mbed – that helps take into account cybersecurity requirements in the development of IoT products.