The number of Internet of Things (IoT) devices has grown rapidly in recent years. Statista predicts that intelligent gadgets in households worldwide, including smart TVs, smart locks, IP cameras and home assistants, will reach 75 billion units by 2025. This is a fivefold increase in ten years. However, this growth comes with serious risks.

The number of attack vectors grows with IoT devices, resulting in a significant security gap. The problem is that these devices often have no or insufficient security, making them the world’s fastest-growing attack environment for organisations, with attacks increasing by 300 percent in 2019.  

Cybercriminals use a variety of vulnerabilities in smart devices to gain access to large networks. Governments around the world are constantly introducing new regulations to improve the security of connected devices. For example, the UK and Australia have developed voluntary guidelines for consumer IoT devices, making them among the pioneers of IoT security.

In January 2020, California and Oregon, both in the United States, introduced new laws requiring IoT devices to take ‘appropriate security measures’.

All parties, including governments, manufacturers, and organisations, have problems regulating the Internet of Things. The goal is to continue working on legislation that successfully protects consumers, is easy to implement, and promotes long-term IoT business growth.  

1. Security Act of California

California Governor Jerry Brown, who regulated the security of Internet of Things (IoT) devices, passed a new law in September 2019 that went into effect on 1 January 2020. This IoT security rule requires all IoT devices sold in the state of California to have acceptable security measures. California’s Internet of Things (IoT) law establishes additional security criteria for IoT systems to effectively manage the dangers posed by increasing levels of connectivity in the workplace.  

According to the text, “any device or other physical entity that can connect directly or indirectly to the Internet is assigned an Internet Protocol or Bluetooth address.” It has been called “problematic” by some because connected gadgets include everything from personal computers and printers to thermostats and employee health trackers.

Organisations may find it difficult to comply with new standards if the term “reasonable security function” is interpreted broadly. However, the developments in California are a good start for properly protecting IoT devices.  

2. NIST guidelines

The National Institute of Standards and Technology (NIST) in the United States has been developing new IoT security solutions and working on other IoT assets since its first publication on IoT security.  

The new report focuses on the cyber security features that IoT device makers can incorporate into their products. While the NIST publications do not require compliance, they provide essential recommendations to encourage best practices for addressing IoT security issues.

3. New IoT laws in the UK

To increase the security of customer data, the UK government proposed additional mandatory limits for makers of IoT devices in January 2020.  The aim is to relieve customers of their device security responsibilities by ensuring that full cyber security is built into these devices from the outset.

Under the proposed legislation, all smart consumer devices supplied in the UK must provide a minimum level of security.  This includes three fundamental requirements:

  1. All paired devices must have unique passwords;
  2. Manufacturers must provide a public contact for reporting vulnerabilities; and
  3. A minimum period for security upgrades must be specified when they are sold.

4. This is only the beginning

Researchers continue to discover fundamental security problems in commercially available IoT devices, ranging from default factory passwords to privacy issues. Many IoT devices are more vulnerable to hackers than traditional technologies because they lack the processing power to run essential security software on their own.