In September 2020, it was reported a coffee machine had been hacked by ransomware1. When seemingly benign consumer products can be hacked, what can be done to safeguard our connected devices?
The internet of things (IoT)
The world is becoming ever more connected. There were an estimated 8.6 billion IoT-connected devices in the world in 2019. This had risen to 15.14 billion in 2023, with the expectation that growth will continue to reach 29.42 billion by 2030. 2
But what is the IoT? In simple terms, IoT is the extension of internet connectivity into physical devices through electronics, software, sensors and actuators that enable interaction and data exchange. This ‘smart’ technology is all around us, in our televisions, speakers, appliances, locks, exercise trackers and even the games we play that connect us to opponents all over the world.
However, alongside the rise in IoT devices, we are also seeing an increase in cyberattacks. A Check Point Research (CPR) report found a 38% increase in attacks between 2021 and 2022, with the most common targets being education, government and healthcare. 3
A cyberattack could result in one of several outcomes. In the case of the coffee machine, a ransom had to be paid to return control of the device to the user, but with other IoT devices, the consequences could be far more severe. For example, a smart speaker could eavesdrop, hospital staff could be locked out of a life support system or bank details could be stolen.
Depending on the individual case, the responses can be very different. In the case of the coffee machine, it can easily be thrown away at minimal cost, but in other cases the consequences might be more serious in terms of disruption and financial cost. The average cost of a data breach was estimated to be USD 4.35 million in 2022. 4
Businesses are now actively responding to the threat. A survey of business leaders by PSA Certified found:
- 75% said security was more of a priority than 12 months ago, with spending on security rising by 15%
- 65% said they actively looked for security credentials when buying IoT products
- 69% said they were willing to pay a premium for products with certification
The report also found 68% of responders thought regulation would drive consumer trust in the security of IoT devices. 5
Regulations
Authorities around the world are responding with a variety of regulations – from the California Consumer Privacy Act (CCPA) and EU General Data Protection Regulation (GDPR) in 2018 to the recent National Institute of Standards and Technology (NIST) Cybersecurity Framework (NISTIR 8259A-NIST 8425) in the US and Australia’s Demand-response Standard AS4755.2.
This move towards more regulation mirrors the increase in IoT devices and cyber threats. However, because implementing new legislation can be slow, and the speed of development in technology and threat is rapid, there is inevitably a regulatory lag.
But is cybersecurity regulation about to catch up?
Many new regulations and standards for consumer products are expected to come into force in the next few years. These include:
- UK Product Security and Telecommunications Infrastructure (PSTI) Regulation 2023 – enters into force April 29, 2024 – manufacturers/importers must issue a statement of compliance before placing a product into the market
- US Cyber Trust Mark – this voluntary labeling scheme is based on specific criteria published by NIST relating to passwords, data protection, software updates and incident detection capabilities
- Cybersecurity Labelling Scheme (CLS) for Singapore is voluntary for most consumer products but mandatory for routers. It is based on ETSI EN 303 645 and the Infocomm Media Development Authority (IMDA) IoT cyber security guide and offers four levels of assurance
- Cyber Resilience Act (CRA) – first EU-wide legislation introducing common cybersecurity rules for manufacturers and developers of products with digital elements, covering both hardware and software. Expected to come into force in Q3 2024, it is mandatory after three years and will ensure:
- Wired and wireless products connected to the internet and software are more secure
- Manufacturers remain responsible for the cybersecurity of a product throughout its life cycle
- Consumers are properly informed about the cybersecurity of the products they buy and use
- EU Radio Equipment Directive (RED) Article 3.3 relates to cybersecurity and covers (d) networks, (e) personal data and privacy, and (f) protection from fraud and applies to devices capable of communicating via the internet, toys and childcare equipment and wearables. Originally planned for August 2024, this has now been postponed to 2025
Manufacturers and importers of IoT devices, therefore, need to make sure their products conform to relevant regulations, and since consumers are now taking cybersecurity seriously, they need to be able to demonstrate this compliance in an easy to recognize manner. Gaining an advantage in competitive markets requires a comprehensive, technical approach to compliance, which in the US means assessment against NIST 8259 and in Europe (RED and CLS) against ETSI EN 303 645.
SGS solution
We provide comprehensive solutions to support manufacturers and importers in the delivery of compliant products to regulated markets. Our services include training, product design reviews and pre-assessment, evaluations and certification. Through our global network, we can assess all products against required standards, including NIST, RED and CLS, and as a Notified Body, we can issue EU-type certification for products destined for European Markets to show compliance with RED 3.3 (d), (e) and (f).
Compliant products can then carry the internationally recognized SGS Cybersecurity Mark, demonstrating to customers the adoption of best practice and product conformity to defined standards:
- ETSI EN 303 645
- NIST IR 8425
- UK PSTI
- IEC 62443-4-2
- ISO 21434
- RED 3.3 (d, e, f)
Our strategic, step-by-step approach to cybersecurity also lets manufacturers benefit from certification against multiple standards in one evaluation.
Enjoyed this article?
Find more news and updates in our Consumer Compact newsletter >
Delivered direct to your inbox
Subscribe to Consumer Compact >
References
1 Coffee Machine Hit By Ransomware Attack – Yes, You Read That Right
2 IoT connected devices worldwide 2019-2030 | Statista
3 Threat Report 13th January 2023
4 The Costs of Data Breaches in 2022
5 New PSA Certified Report Shows that Consumers are Concerned about Device Security
© SGS Société Générale de Surveillance SA.
201 Route 17 North,
7th floor,
Rutherford, New Jersey, 07070,
United States