2024 marks a turning point in IoT cybersecurity, with significant advancements in laws and regulations in the EU, the US, and the UK. The rapid proliferation of IoT technology has quite rightly been matched by an increased focus on securing these devices against cyber threats. As a result, significant regulatory milestones are due to be enforced this year, shaping how we approach IoT cybersecurity and, most importantly to us engineers, how we design our IoT products.
We aim to aim to provide a thorough breakdown of the critical guidelines and standards for IoT product security and explore how you can ensure your products are on the right side of compliance. To that end, we show you how our cryptographic security experts, SealSQ, can help you tick all the regulatory boxes and simplify the process of getting certified.
Understanding the IoT regulations
The IoT landscape has been a little like the wild west with but recent years have witnessed the maturation of the IoT regulatory environment, with lawmakers focusing on enhancing IoT cybersecurity to make connected devices more resilient against cyber threats and the ultimate aim of safeguarding the privacy of our personal information within the IoT realm.
Here are the most important aspects of the new measures being implemented in the UK, EU and US.
The PSTI Act in the UK
The UK has taken a significant step in enhancing the cybersecurity of Internet of Things (IoT) devices with the introduction of the Product Security and Telecommunications Infrastructure (PSTI) Act, which is set to take effect from April 2024. This new legislation is a response to the growing concerns about cybersecurity in the digital age, particularly in the IoT sector, with the aim of shifting the responsibility for securing these devices from consumers to the manufacturers themselves.
The PSTI Act focuses on three key areas of compliance that have a significant impact on the fire and security market:
Clear Information on Support Period at Point of Sale: Manufacturers are required to explicitly inform consumers about the duration of updates and support for their products at the point of sale. This ensures that consumers are aware of the timeframe for which they can expect support for their IoT devices.
No Default Passwords: The Act mandates that each IoT device must come with a unique password, which must be used at the first login. This requirement is aimed at addressing the security risk associated with devices having easily guessable or common default passwords.
Reporting of Security Issues: Manufacturers are obliged to establish and communicate clear procedures for reporting security vulnerabilities. This includes providing contact information for reporting vulnerabilities and ensuring that customers are promptly informed about any identified vulnerabilities, along with timely fixes. This aspect underscores the importance of active management of security risks in IoT devices.
The PSTI Act integrates international standards like ETSI EN 303 645 and ISO/IEC 29147. It formalises cybersecurity protocols that were previously implemented on a voluntary basis within the UK. This legislation is crucial in the context of historical cybersecurity incidents, such as the Mirai malware attack, which highlighted the inherent vulnerabilities in IoT devices. By setting mandatory regulations, the PSTI Act aims to elevate baseline security standards for smart products, affecting manufacturers, distributors, and importers alike, and ensuring a safer and more secure digital environment for consumers and businesses.
The E.U.'s Cybersecurity Act and Cyber Resilience Act (IoT device security)
The European Union has introduced two legislative frameworks to bolster cybersecurity and digital resilience across the EU: the Cybersecurity Act and the proposed Cyber Resilience Act. Each act has distinct objectives and scopes, targeting different aspects of cybersecurity.
Cybersecurity Act: Enacted as Regulation (EU) 2019/881 on April 17, 2019, and effective from June 27, 2019, this act focuses on strengthening the EU's overall cybersecurity framework. Its primary objectives are two-fold. Firstly, it establishes a permanent mandate for the EU Cybersecurity Agency (ENISA), aimed at enhancing the cybersecurity posture across the EU. Secondly, it introduces an EU-wide cybersecurity certification framework that applies to digital products, services, and processes. This act targets a broad range of digital offerings, with a particular focus on critical infrastructure and essential services.
Cyber Resilience Act: Proposed in 2022 with expected approval in 2024, this act is designed to ensure a high and common level of cybersecurity throughout the EU. Unlike the Cybersecurity Act, which has a broader focus, the Cyber Resilience Act specifically targets products with digital elements. This includes software, hardware, and Internet of Things (IoT) devices. The key aim of this act is to embed cybersecurity considerations in the entire lifecycle of these products, from their design and development phase through to maintenance and eventual safe disposal.
In summary, while both acts share the common goal of enhancing cybersecurity in the EU, they differ in focus and approach. The Cybersecurity Act primarily establishes a certification framework and strengthens ENISA's role, covering a wide array of digital products and services. In contrast, the Cyber Resilience Act imposes specific obligations on products with digital elements, emphasising the integration of cybersecurity throughout their lifecycle. This distinction highlights the EU's comprehensive approach to addressing the multifaceted challenges of digital security in a rapidly evolving technological landscape.
Enforcement of the EU Cybersecurity and Cyber Resilience Acts
The enforcement mechanisms and potential impact of the European Union's Cybersecurity Act and the proposed Cyber Resilience Act vary, reflecting their different approaches to enhancing digital security.
The implementation of both acts is significant not only for the EU but also on a global scale. Like the General Data Protection Regulation (GDPR), these acts are likely to serve as models for other non-EU countries and territories when they are crafting similar legislation. Therefore, early compliance and preparation by manufacturers and service providers will not only ensure adherence to EU regulations but also offer a competitive advantage as these standards become globally recognised and adopted.
IoT regulations in the U.S. (Cybersecurity Improvement Act)
As of January 2024, the United States lacks a national regulatory framework or a comprehensive set of standards specifically for IoT cybersecurity. However, significant steps have been taken towards establishing minimum security standards for IoT devices used by the federal government with the introduction and passing of the 2019 IoT Cybersecurity Improvement Act.
IoT Cybersecurity Improvement Act: This act was introduced in March 2019 by members of both the U.S. Senate (S.734) and House of Representatives (H.R. 1668) and passed on December 4, 2020. It sets forth minimum security standards for connected devices purchased by the federal government. Notably, the act's approach is to influence rather than directly regulate the private sector, with the intention of avoiding any potential slowdown in innovation.
Key components of the Cybersecurity Component Act include:
Authority to NIST: The National Institute of Standards and Technology (NIST) is given the authority to oversee IoT cybersecurity risks for equipment acquired by the federal government.
Mandatory Guidelines: NIST is mandated to issue guidelines on security development, identity management, patching, and configuration management for IoT products.
Federal Government Compliance Requirement: Any IoT device purchases by the federal government must comply with these NIST recommendations. Manufacturers that do not adopt these guidelines risk being excluded from the substantial federal government market.
Encouragement of Coordinated Disclosure Policies: The act encourages IoT device manufacturers to adopt coordinated disclosure policies, ensuring swift information sharing in case a vulnerability is found.
This legislation leverages the federal government's procurement power to promote better cybersecurity practices in IoT devices, aiming to indirectly influence the broader market through these standards. The act represents a strategic approach to enhance IoT security across the U.S. by setting a benchmark for devices used in federal operations, potentially creating a ripple effect in the private sector.
Comparing PSTI Act with EU and US Regulations
A comparison of the UK's Product Security and Telecommunications Infrastructure (PSTI) Act with the EU's Cybersecurity and Cyber Resilience Acts, and the US's IoT Cybersecurity Improvement Act, reveals both divergences and convergences in approach and scope, offering insights into potential common standards for global compliance.
At this stage, the US has avoided any legislation on manufacturers directly, opting instead for tougher standards and compliance in its own federal procurement. A rather soft, passive approach to achieving any meaningful improvements in US IoT consumer products.
Common Standards and Global Compliance
Despite the regional differences, there are emerging commonalities in IoT security standards. These include:
Lifecycle Approach to Security: All three regions emphasise the importance of integrating security considerations throughout the lifecycle of IoT devices, from design to disposal.
Unique Device Authentication: There's a unanimous push towards unique authentication methods (e.g., unique passwords in the UK, unique device identification in the EU and US).
Transparency and Disclosure: All regions advocate for clear disclosure policies regarding the support period, security updates, and vulnerability reporting mechanisms.
Compliance and Certification: While the approaches vary, there is a shared emphasis on compliance and certification to ensure a baseline security standard, whether through voluntary schemes (EU, US) or mandatory requirements (UK).
How SealSQ can help Electronic Engineers achieve compliance with PSTI act in the UK AND exceed requirements of EU & US IoT legislation
Navigating the Compliance Process with SealSQ
SealSQ's solutions offer a streamlined path to compliance, reducing the complexity and time required for manufacturers to meet the PSTI Act's standards. Their integrated approach means manufacturers can quickly adapt to the required security protocols, minimising the risk of non-compliance and the severe financial penalties associated with it.
The Technical Edge: SealSQ's Innovative Approach
SealSQ's technology is designed to address the PSTI Act's technical and process-based requirements effectively. Their state-of-the-art tamper-resistant hardware and trust services ensure the highest level of security for IoT devices. By integrating these advanced solutions, SealSQ enables manufacturers to design products that are secure from the outset, conforming to both the PSTI Act and the anticipated requirements of the EU's CRA.
SealSQ offers a robust and integrated solution for IoT security compliance, crucial for adhering to the PSTI Act's requirements. Their approach focuses on key areas:
Unique and Secure Authentication: SealSQ replaces traditional passwords with unique X509 certificates, utilising asymmetric cryptography and secure elements. This aligns with the PSTI Act's mandate for unique passwords and enhances overall device security.
Efficient Vulnerability Disclosure Management: With an easy-to-use PKI-as-a-Service interface, SealSQ simplifies the process of managing certificates and handling vulnerability disclosures, ensuring compliance with the PSTI Act's requirements for vulnerability disclosure and response.
Guaranteed Security Update Compliance: SealSQ's solutions ensure that information regarding security update periods is transparent and adheres to the PSTI Act's specifications. This approach not only meets legislative requirements but also instills consumer confidence in product security.
Introducing SealSQ's Vault IC
With hardware-based key storage and cryptographic accelerators, the VaultIC provides a wide array of cryptographic features, including identity, authentication, encryption, key agreement, and data integrity.
The hardware security protects against hardware attacks such as micro probing and side channel, ensuring your data remains secure. The VaultIC family is FIPS140-3 Level 3 (CMVP)x certified and includes NIST-recommended algorithms and key lengths, such as Elliptic Curve Cryptography (ECC), Rivest-Shamir-Adleman (RSA), and Advanced Encryption Standard (AES), all implemented on-chip and using on-chip storage of secret key material to keep your secrets protected.
With a NIST SP800-90Bxi certified TRNG, all IoT platform cryptographic calculations have top-quality entropy. The secure storage and cryptographic acceleration support a range of use cases, such as network/IoT end node security, platform security, secure boot, secure firmware download, secure communication/TLS, data confidentiality, encryption key storage, and data integrity.
What's more, the firmware library provided simplifies integration into virtually any MCU/MPU, with support for common use cases including TLS, sign/verify, secure read/write, and more. Keep your IoT platform secure with VaultIC.
Provisioning of the Vault-IC
The Vault-IC can be provisioned at wafer level at the Common Criteria certified SEALSQ factory or using SEALSQ “Personalisation-On-Package” services. The provisioning includes one or more credentials and certificates along with configuration and product specific data. It can simplify & secure the production of the IoT device since the security requirements of the IoT device factory can be relaxed.
In Particular for Smart Home devices, SEALSQ uses the WISeKey Root-of-Trust which is certified by the Connectivity Standards Alliance (CSA) as a compliant Matter Product Attestation Authority (PAA)xii. This CSA certification enables the WISeKey Root of Trust to pre-load Matter compliant X509
Certificates (Matter DAC) in the Vault-IC, accelerating the certification process for devices with the Matter Standard.
SEALSQ Cyber Trust Mark Service
The SEALSQ Cyber Trust Service consists of the components below. The service is intended to provide the tool suite and expert guidance to meet the security requirements, simplify the certification process, and ultimately achieve the label.
1. Vault-IC secure element to provide secure storage of keys and data
a. FIPS140-3 Certified technology
b. Storage for keys and Certificates (IDEVID, LDEVIDs)
c. Storage for passwords and application data
d. Crypto acceleration
2. Firmware APIs that implement the “Baseline Requirements” on the Vault-IC
3. Implementation guide
4. Cyber Trust Mark checklist
5. Expert guidance
Achieving the Cyber Trust Mark with SEALSQ
The consolidated “Baseline Requirements” are on the IoT device. We will examine each of the requirements in the following subsections and show how SEALSQ products and services can be used to fulfill the security requirements to achieve Cyber Trust Mark.
Securely Store Credentials & Certificates
This requirement applies to both the Birth Certificate (IDEVIDix) and Operational Certificates (LDEVIDs) along with their associated private keys. The IDEVID certificate becomes the fundamental identity for the IoT device and can be used to establish the trust required for LDEVID certificates to be issued
The Vault-IC family of secure elements provide secure key storage along with crypto acceleration of NIST-recommended cryptography algorithms. The certificates are also securely stored on the Vault-IC so it can be used as the cryptographically verifiable hardware root of trust for the IoT platform.
The INeS CMS can provide IDEVIDs and LDEVID certificates for IoT devices. The certificates will be signed by the IoT ecosystem trusted Certificate Authority (CA). The IDEVID is usually provisioned on the Vault-IC secure element in the Common Criteria certified SEALSQ factory. The LDEVIDs can be provisioned in the factory or in the field based on the use case.
How Vault-IC meets and exceeds the base requirements of the new IoT security legislation:
Table showing the Industry “Best Practices” Baseline Requirements Combined and consolidated “Implied Requirements” from NISTIR8425 and ETSI EN 303 645
Best Practices Requirement | Description | SealSQ Solution |
Securely Store Credentials & Certificates | This applies to both the Birth (or factory) Certificate (IDEVID ) and Operational Certificates (LDEVIDs) along with their associated public private key pairs. | ✅ |
Credential based authentication | IDEVID (birth certificate) and LDEVIDs (application certificates | ✅ |
Unique password | Factory defined passwords must be unique | ✅ |
Specialised User Roles | Roles for administration, operation, etc. | ✅ |
Secure Storage and Update of data | Applies to configuration, user, and application data | ✅ |
Secure Communication | Includes communication on the bus, and communication to other IoT ecosystem nodes | ✅ |
Secure Software Update | Verify software package when downloading | ✅ |
Secure Boot | Verify software package in bootloader | ✅ |
Device Intent | Configuration to only intended Functionality of IoT device | ✅ |
SealSQ's solution delivers
Certificates and public-private keys stored on the Vault-IC secure element can be used to configure, use, and communicate with the platform. The Vault-IC stores IDEVID and LDEVIDs for application layer authentication, which are used for device identity and multiple users with unique permissions.
Unique passwords can be generated using NIST SP800 and stored using xMAC functionality. Alternatively, some IoT ecosystems use certificate-based authentication, eliminating the need for passwords.
Specialised user roles can also be implemented using the Vault-IC's access control model. The manufacturing, administrative, and operational users can be configured with unique permissions for interacting with the IoT device platform. Stay secure with Credential-Based Authentication and the Vault-IC family of secure elements.
We won't provide a detailed breakdown of how SealSQ's technology addresses all of the legislative requirements in this article, but if you want to find out more or you would like us to arrange a presentation with the team, get in contact with Ineltek Ltd here.