Standards and Regulations for IoT Systems

In this article we’ll talk about the standards and regulations for IoT systems, local and global.

Since the IoT devices contain personal data, it’s important to ensure protection of the user data. Hence, we have local and global regulations. Your device should follow the standards and regulations of both your country and region and the global ones. For Europe, we follow the GDPR (General Data Protection Regulation): a law set by the European Union (EU) and the European Economic Area (EEA) on data protection. Besides that, each country has their own Cyber Security laws and regulations. Your IoT system must follow both the global and the local regulations.

Any system that uses a credit card or any form of cyber payment must follow the PCI DSS (Payment Card Industry Data Security Standard) regulations. The IoT Security Foundation is a non-profit organization that is also there to guide you through the security process of your IoT system, through standards and frameworks you can obtain for free or paid educational classes and mentorship services. You should read the framework they’ve published in order to decide the level and the steps of the IoT security process you should follow based on your system’s requirements.

OWASP (Open Web Application Security Project) designs test tools, creates recommendation lists that are up to date and generally offers service for all things security related, including IoT systems. You can follow OWASP for light reading in order to remain up to date with your knowledge and skill on IoT or any kind of tech security requirement.

EU Cybersecurity Act is a regulation that requires certain security certifications for web related solutions.

GDPR

Being a regulation within the countries of EU, the GDPR (General Data Protection Regulation) aims for the unionization and the strengthening of the data privacy. The goal of the GDPR is to ensure safety and privacy for the EU citizens in a world where data makes everything. The data here could be everything from your IP address to your home address or even what you like, where you shop, your credit card information etc. These data could be processed and tracked back to all about you.

GDPR is important for that within Article 4, it described what data breach and personal data is for the first time in the world and declared the actions that are considered criminal.

Article 32–33 within the GDPR explains the steps to be taken in order to ensure maximum data security, which could be summed as:

• Using the latest, the most up to date technologies
• The pseudonymisation ( a technique that refers to the replacement or removal of a piece of data that identifies an individual) and encryption of personal data
• The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
• The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
• A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security f the processing.

Notice: If you experience any attack or a data leak, you should immediately inform the GDPR office within your country and all the users of your system. It’s especially important to inform the user for that if there’s credit card information stolen, let’s say, they can block their accounts or watch it for any malicious action.

The Article 32–33 of GDPR is the part of the regulation that is broken regularly, and therefore there are huge numbers and huge amounts of punishments given each year. Raiffeisen Bank, a bank in Romania, has had to pay a fine of 20 thousand Euros for sending the user data through WhatsApp and therefore ensuring no encryption or security back in 2019. British Airways had to pay a fine of 204 Million Euros for a similar crime, whereas the National Revenue Agency in Bulgaria had to pay a fine of 2,6 Million Euros.

EU Cybersecurity Act

The EU Cybersecurity Act is a law that establishes a cybersecurity certification framework for digital products, services and processed within the EU countries.

One of the main goals of the EU Cybersecurity Act was to make the ENISA (European Union Agency for Cybersecurity) an authority of cybersecurity by lawfully assigning the tasks to declare the strategies for cyber-security, lead the educational activities for those who are interested in the cybersecurity and ensure security by design & privacy by design. The EU Cybersecurity Act aims for improving the cybersecurity for IoT devices and and online services by declaring regulations that cover ICT products/services/processes, preparing a certification framework, ensuring that there’s one single certification system within the Europe (Common Criteria) and making sure that the certification requirements of the countries within the EU doesn’t clash & create loopholes .

IoT Ecosystem

While designing and IoT system, it’s not enough to ensure the device security but you also must watch for the mobile/Web application security, the cloud security, the end user security and for all the components to be safe for use.

The three main steps to ensure security are;

• Ensuring that the user authentication and authorization are done correctly.
• Enforcing the right Password Policy by making the users create passwords that are complex enough, preventing the use of very common passwords and enforcing frequent change of existing passwords
• Making sure that by the cloud side of the process, whenever a device or an end user sends a request to your services, there’s a correct and throughout process of authorization and input verification performed. (See OWASP Top 10)