{"id":16684,"date":"2019-10-24T11:00:05","date_gmt":"2019-10-24T19:00:05","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/10\/24\/news-10423\/"},"modified":"2019-10-24T11:00:05","modified_gmt":"2019-10-24T19:00:05","slug":"news-10423","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/10\/24\/news-10423\/","title":{"rendered":"How to Regulate IoT Cybersecurity"},"content":{"rendered":"<p><strong>Credit to Author: Trevor Rudolph| Date: Tue, 22 Oct 2019 18:19:51 +0000<\/strong><\/p>\n<p>Today, I have the honor of speaking on IoT security policy at the annual <a href=\"https:\/\/www.cybersecuritycoalition.org\/\" target=\"_blank\" rel=\"noopener noreferrer\">CyberNextDC conference<\/a> organized by the Cybersecurity Coalition. As the number of connected devices grows and these devices are increasingly used to perpetrate &#8220;botnets&#8221;:<\/p>\n<h3><span style=\"color: #3dcd58\">&#8220;Global policymakers are under pressure to regulate the cybersecurity of the Internet of Things (IoT).&#8221;<\/span><\/h3>\n<h3><span style=\"color: #3dcd58\"><a href=\"https:\/\/twitter.com\/intent\/tweet?text=%22Global%20policymakers%20are%20under%20pressure%20to%20regulate%20the%20cybersecurity%20of%20the%20Internet%20of%20Things%20(IoT).%22%20Discover%20more%3A%20https%3A\/\/blog.se.com\/cyber-security\/2019\/10\/22\/how-to-regulate-iot-cybersecurity\/%20%40SchneiderElec\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-52576 size-full\" src=\"https:\/\/blog.se.com\/wp-content\/uploads\/2018\/11\/CTA-Twitter.png\" alt=\"Share the Post on LinkedIn - Regulate Cybersecurity by Trevor Rudolph\" width=\"200\" height=\"20\" \/><\/a><br \/> <\/span><\/h3>\n<p>Below are just a few examples of governments that are contemplating regulatory activity in this space:<\/p>\n<ul>\n<li><strong>European Union<\/strong>: The EU Cybersecurity Act will, among other things, allow the EU Agency for Cybersecurity (ENISA) to set certification schemes for information and communications technology (ICT) products, services, and processes, to include the IoT. <a href=\"#_edn1\" name=\"_ftnref1\"><sup>[1]<\/sup><\/a><\/li>\n<li><strong>Japan<\/strong>: The Ministry of Economy, Trade and Industry (METI) has published a Cyber\/Physical Security Framework pertaining to the security of IoT and other connected systems. <a href=\"#_edn2\" name=\"_ftnref1\"><sup>[2]<\/sup><\/a><\/li>\n<li><strong>Singapore<\/strong>: The Infocomm Media Development Authority is developing an IoT Cyber Security Guide. <a href=\"#_edn3\" name=\"_ftnref1\"><sup>[3]<\/sup><\/a><\/li>\n<li><strong>United Kingdom<\/strong>: The Department for Digital, Culture, Media and Sport has issued a Code of Practice for Consumer IoT Security and recommended regulations to require that consumer IoT devices incorporate at least minimum security controls. <a href=\"#_edn4\" name=\"_ftnref1\"><sup>[4]<\/sup><\/a><\/li>\n<\/ul>\n<p>At Schneider, we\u2019re used to operating with this type of complexity.<\/p>\n<h3><span style=\"color: #3dcd58\">&#8220;For over 100 years, we have executed a multi-local strategy; manufacturing locally, servicing locally, and patenting locally.&#8221;<br \/> <\/span><\/h3>\n<h3><span style=\"color: #3dcd58\"><a href=\"https:\/\/twitter.com\/intent\/tweet?text=%E2%80%9CFor%20over%20100%20years,%20we%20have%20executed%20a%20multi-local%20strategy,%20manufacturing%20locally,%20servicing%20locally,%20and%20patenting%20locally.%E2%80%9D%20Discover%20more%3A%20https%3A\/\/blog.se.com\/cyber-security\/2019\/10\/22\/how-to-regulate-iot-cybersecurity\/%20%40SchneiderElec\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-52576 size-full\" src=\"https:\/\/blog.se.com\/wp-content\/uploads\/2018\/11\/CTA-Twitter.png\" alt=\"Share the Post on LinkedIn - Regulate Cybersecurity by Trevor Rudolph\" width=\"200\" height=\"20\" \/><\/a><\/span><\/h3>\n<p>That said, such country-specific requirements for IoT device manufacturers present several limitations. \u00a0Instead of promoting widespread, open innovation; economic prosperity for the global <a href=\"https:\/\/blog.se.com\/cyber-security\/2019\/09\/26\/creating-a-more-secure-digital-ecosystem-by-connecting-the-dots\/\">digital economy<\/a>; or consistent security protocols, disparate requirements will likely lead to regulatory fragmentation. \u00a0As a result, only large players will be able to meet this myriad of requirements and consumers will be left to determine how secure a device is based upon where it is manufactured.<\/p>\n<p><span style=\"color: #3dcd58\"><strong>Raising the bar on cybersecurity<\/strong><\/span><\/p>\n<p>At Schneider Electric, we see an alternative path \u2014 one that fosters both innovation and security for industry players, governments, and global citizens.\u00a0 It is a path where governments work collaboratively, through open dialogue, to find common regulatory ground.\u00a0 Ideally, this path would lead to harmonization and interoperability between IoT security requirements and corresponding certification schemes.\u00a0 And there is room for optimism.<\/p>\n<p>We can look to the <a href=\"https:\/\/www.nist.gov\" target=\"_blank\" rel=\"noopener noreferrer\">U.S. National Institute of Standards and Technology<\/a> (NIST) for an example.\u00a0 This organization has a long history of facilitating industry-driven, consensus-based initiatives to promote stronger cybersecurity practices.\u00a0 In <a href=\"https:\/\/www.schneider-electric.com\/en\/work\/solutions\/cybersecurity\/\">cybersecurity<\/a>, NIST is best known for the development of the <a href=\"https:\/\/www.schneider-electric.com\/en\/download\/document\/998-20244304\/\" target=\"_blank\" rel=\"noopener noreferrer\">NIST Cybersecurity Framework for Critical Infrastructure Protection<\/a>, but NIST is now working on a new effort that could be just as impactful.\u00a0 This effort, which is still in draft, is known as <a href=\"https:\/\/csrc.nist.gov\/publications\/detail\/nistir\/8259\/draft\" target=\"_blank\" rel=\"noopener noreferrer\">NISTIR 8259:\u00a0 Core Cybersecurity Feature Baseline for Securable IoT Devices<\/a>.\u00a0 It is an attempt to bridge the gap between a dozen or more IoT security guidelines, including the <a href=\"https:\/\/www.schneider-electric.com\/en\/download\/document\/998-20186845\/\" target=\"_blank\" rel=\"noopener noreferrer\">IEC 62443 suite of standards for industrial automation cybersecurity<\/a>, issued by governments, standards development organizations, and civil society groups globally.<a href=\"#_edn5\" name=\"_ftnref1\"><sup>[5]<\/sup><\/a>\u00a0\u00a0 What the authors have found in the wide range of international approaches is commonality in security features that could serve as a meaningful regulatory baseline for all geographies.\u00a0 These features include:<\/p>\n<ul>\n<li><strong>Device Identification<\/strong>:\u00a0 The IoT device can be uniquely identified logically and physically.<\/li>\n<li><strong>Device Configuration<\/strong>:\u00a0 The IoT device\u2019s software and firmware configuration can be changed, and such changes can be performed by authorized entities only.<\/li>\n<li><strong>Data Protection<\/strong>:\u00a0 The IoT device can protect the data it stores and transmits from unauthorized access and modification.<\/li>\n<li><strong>Logical Access to Interfaces<\/strong>:\u00a0 The IoT device can limit logical access to its local and network interfaces to authorized entities only.<\/li>\n<li><strong>Software and Firmware Updates<\/strong>:\u00a0 The IoT device\u2019s software and firmware can be updated by authorized entities only using a secure and configurable mechanism.<\/li>\n<li><strong>Cybersecurity Event Logging<\/strong>: \u00a0The IoT device can log cybersecurity events and make the logs accessible to authorized entities only.<\/li>\n<\/ul>\n<p><span style=\"color: #3dcd58\"><strong>Securing the digital economy<\/strong><\/span><\/p>\n<p>Harmonizing regulatory approaches with this common baseline would allow global industry to build IoT devices to a shared set of core requirements, thus improving both economic opportunity and consistent security.\u00a0 Furthering this optimism is news that the US and EU have renewed their efforts to coordinate on cybersecurity regulatory approaches.\u00a0 This cooperation could bear fruit as part of the EU\u2019s Cybersecurity Act and the pending cybersecurity certification schemes for <a href=\"https:\/\/www.schneider-electric.com\/en\/work\/campaign\/iiot\/\">IoT<\/a>.<\/p>\n<h3><span style=\"color: #3dcd58\">&#8220;Establishing harmonized requirements for IoT security could help both regions realize economic and security objectives.&#8221;<br \/> <\/span><\/h3>\n<h3><span style=\"color: #3dcd58\"><a href=\"https:\/\/twitter.com\/intent\/tweet?text=%22Establishing%20harmonized%20requirements%20for%20IoT%20security%20could%20help%20both%20regions%20realize%20economic%20and%20security%20objectives.%22%20Discover%20more%3A%20https%3A\/\/blog.se.com\/cyber-security\/2019\/10\/22\/how-to-regulate-iot-cybersecurity\/%20%40SchneiderElec\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-52576 size-full\" src=\"https:\/\/blog.se.com\/wp-content\/uploads\/2018\/11\/CTA-Twitter.png\" alt=\"Share the Post on LinkedIn - Regulate Cybersecurity by Trevor Rudolph\" width=\"200\" height=\"20\" \/><\/a><br \/> <\/span><\/h3>\n<p>Following this path of collaboration, governments would still be able to establish their own unique requirements for specific industries or use cases, but these additional specifications would be built on top of this common, coordinated baseline.\u00a0 When needing to ensure conformance to this baseline, governments could establish voluntary certification schemes while leveraging existing global certification bodies.\u00a0 Establishing such voluntary schemes would allow only the most competitive and secure vendors to rise to the top, thereby helping to raise the security bar throughout global industry.\u00a0 Using existing certification bodies, like <a href=\"https:\/\/www.isasecure.org\/en-US\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISASecure<\/a>, would leverage ready resources that have the technical competence to assess conformity to this shared baseline.<\/p>\n<p><span style=\"color: #3dcd58\"><strong>Strengthening digital trust<\/strong><\/span><\/p>\n<p>While we hear of challenges on this topic daily, we see cause for optimism during October\u2019s Cybersecurity Month. \u00a0Governments and industry have an opportunity to come together and work collaboratively on common solutions that will benefit all citizens.\u00a0 At Schneider, we will do our part.\u00a0 As members of both the <a href=\"https:\/\/www.cybersecuritycoalition.org\/\" target=\"_blank\" rel=\"noopener noreferrer\">Cybersecurity Coalition<\/a> and the <a href=\"https:\/\/isaautomation.isa.org\/cybersecurity-alliance\/\" target=\"_blank\" rel=\"noopener noreferrer\">Global Cybersecurity Alliance<\/a>, we will work across industry, governments, and our customers to secure our digital economy.<\/p>\n<p>For those interested in reading more on cybersecurity and building a holistic cybersecurity strategy, see Schneider Electric\u2019s \u201c<a href=\"https:\/\/www.schneider-electric.com\/en\/download\/document\/Cybersecurity_eguide_09-10-19A\/\" target=\"_blank\" rel=\"noopener noreferrer\">Building a Cybersecurity Strategy for the Digital Economy<\/a>\u201d e-guide.<\/p>\n<p> <a href=\"https:\/\/go.schneider-electric.com\/US_201909_Cybersecurity-Strategy-e-guide_EA-LP.html?source=Content&amp;sDetail=Cybersecurity-Strategy-e-guide_US\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-61299\" src=\"https:\/\/blog.se.com\/wp-content\/uploads\/2019\/10\/CTA-Blog_Cybersecurity-eguide-1.png\" alt=\"CTA Blog_Cybersecurity eguide (1)\" width=\"560\" height=\"150\" srcset=\"https:\/\/blog.se.com\/wp-content\/uploads\/2019\/10\/CTA-Blog_Cybersecurity-eguide-1.png 560w, https:\/\/blog.se.com\/wp-content\/uploads\/2019\/10\/CTA-Blog_Cybersecurity-eguide-1-300x80.png 300w\" sizes=\"auto, (max-width: 560px) 100vw, 560px\" \/><\/a> <\/p>\n<p>&nbsp;<\/p>\n<h6><a href=\"#_ednref1\" name=\"_ftnref1\"><sup>[1]<\/sup><\/a><a href=\"#_ednref1\" name=\"_edn1\"> <\/a><a href=\"http:\/\/europa.eu\/rapid\/press-release_IP-18-6759_en.htm\">European Commission, EU negotiators agree on strengthening Europe\u2019s cybersecurity, Dec. 2018.<\/a><\/h6>\n<h6><a href=\"#_ednref2\" name=\"_ftnref1\"><sup>[2]<\/sup><\/a> <a href=\"https:\/\/www.meti.go.jp\/english\/press\/2018\/1001_002.html\">Japan Ministry of Economy, Trade and Industry, METI Compiles Results of the Call for Public Comments on the Draft Cyber\/Physical Security Framework.<\/a><\/h6>\n<h6><a href=\"#_ednref3\" name=\"_ftnref1\"><sup>[3]<\/sup><\/a> <a href=\"https:\/\/www2.imda.gov.sg\/regulations-and-licensing\/Regulations\/consultations\/Consultation-Papers\/2019\/consultation-for-iot-cyber-security-guide\">Singapore Infocomm Media Development Authority, October 15, 2019.<\/a><\/h6>\n<h6><a href=\"#_ednref4\" name=\"_ftnref1\"><sup>[4]<\/sup><\/a>\u00a0<a href=\"https:\/\/assets.publishing.service.gov.uk\/government\/uploads\/system\/uploads\/attachment_data\/file\/773867\/Code_of_Practice_for_Consumer_IoT_Security_October_2018.pdf\">UK Department of Digital, Culture, Media &amp; Sport, Code of Practice for Consumer IoT Security, Oct. 2018.<\/a><\/h6>\n<h6><a href=\"#_ednref5\" name=\"_ftnref1\"><sup>[5]<\/sup><\/a> <a href=\"https:\/\/securingdigitaleconomy.org\/wp-content\/uploads\/2019\/09\/CSDE_IoT-C2-Consensus-Report_FINAL.pdf\">The C2 Consensus on IoT Device Security Baseline Capabilities, Annex D: Informative References, page 30, accessed October 15, 2019.<\/a><\/h6>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.se.com\/cyber-security\/2019\/10\/22\/how-to-regulate-iot-cybersecurity\/\">How to Regulate IoT Cybersecurity<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.se.com\">Schneider Electric Blog<\/a>.<\/p>\n<p><a href=\"https:\/\/blog.se.com\/cyber-security\/2019\/10\/22\/how-to-regulate-iot-cybersecurity\/\" target=\"bwo\" >http:\/\/blog.schneider-electric.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Trevor Rudolph| Date: Tue, 22 Oct 2019 18:19:51 +0000<\/strong><\/p>\n<p>Today, I have the honor of speaking on IoT security policy at the annual CyberNextDC conference organized by the Cybersecurity Coalition. As the number of connected devices grows and these&#8230;  <a href=\"https:\/\/blog.se.com\/cyber-security\/2019\/10\/22\/how-to-regulate-iot-cybersecurity\/\" title=\"ReadHow to Regulate IoT Cybersecurity\">Read more &#187;<\/a><\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.se.com\/cyber-security\/2019\/10\/22\/how-to-regulate-iot-cybersecurity\/\">How to Regulate IoT Cybersecurity<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.se.com\">Schneider Electric Blog<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[12389,12388],"tags":[12608,23265,4500,23065,16293,11817,12660,23064,23266,22483,6269,10495,11711,23267,23268],"class_list":["post-16684","post","type-post","status-publish","format-standard","hentry","category-scadaics","category-schneider","tag-cyber-security","tag-cybernextdc-conference","tag-cybersecurity","tag-cybersecurity-coalition","tag-cybersecurity-strategy","tag-data-protection","tag-digital-economy","tag-digital-trust","tag-eu-cybersecurity","tag-global-cybersecurity-alliance","tag-internet-of-things","tag-iot","tag-nist","tag-regulate-cybersecurity","tag-trevor-h-rudolph"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/16684","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=16684"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/16684\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=16684"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=16684"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=16684"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}