IoT Cybersecurity: The Broadening Regulatory Landscape

IoT Cybersecurity

Article written by Ken Wells | floLIVE – July 2024

It’s interesting to see how the world is beginning to respond to the very critical topic of IoT Cybersecurity as the digital world continues to expand rapidly. The threat of security has always been present. Still, as this technology proliferates and cyber threats increase, it has become pertinent to find a way to tie together the standards, compliance, and guidelines ecosystem. 

IoT Network Cybersecurity 

Software and platform cybersecurity is essential to protecting sensitive data, preventing cyberattacks, ensuring system integrity, and maintaining user trust. It safeguards against vulnerabilities, ensures business continuity, and upholds the reliability and security of digital services and applications. In the industry, ISO 27001, SOC 2, and the Cyber Resilience Act are notable examples of how securing this part of the technology stack is addressed.  

ISO 27001 for Information Security Management

ISO 27001 is an international standard for managing information security. ISO/IEC 27001 provides a framework for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). The standard aims to help organizations protect their information assets by identifying risks, implementing security controls, and adopting a systematic approach to managing sensitive data.

Key components of ISO 27001 include:

  • Risk Assessment: Identifying and evaluating information security risks to determine which controls are necessary.
  • Security Controls: Implementing appropriate measures to mitigate identified risks. These controls should be organizational, technical, legal, and physical.
  • Documentation: Maintaining proper documentation of the ISMS, including policies, procedures, and compliance records.
  • Continuous Improvement: Regularly monitoring, reviewing, and updating the ISMS to ensure its effectiveness and relevance in response to changing threats and business needs.

Achieving ISO 27001 certification demonstrates an organization’s commitment to information security and assures stakeholders that it has implemented best practices to protect its data.

SOC 2 Compliance for Customer Data Protection

SOC 2, or Service Organization Control 2, was established by the American Institute of CPAs (AICPA) in 2010 to help organizations protect customer data and reduce the risk of security breaches. It is specifically designed for service providers storing customer data in the cloud, ensuring they handle that data securely to protect the privacy and interests of their clients.

Key aspects of SOC 2 include:

  1. Security: Ensures that the system is protected against unauthorized access, both physical and logical.
  2. Availability: Ensures the system is available for operation and use as committed or agreed upon.
  3. Processing Integrity: Ensures system processing is complete, valid, accurate, timely, and authorized.
  4. Confidentiality: Ensures that information designated as confidential is protected as committed or agreed upon.
  5. Privacy: Ensures that personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the entity’s privacy notice.

Obtaining SOC 2 certification demonstrates a service provider’s commitment to high data security and privacy standards, providing clients and stakeholders with assurance that their data is handled responsibly.

The Cyber Resilience Act (CRA)

The Cyber Resilience Act (CRA) is a proposed regulation by the European Union that aims to enhance the cybersecurity of digital products and services. It seeks to establish a uniform standard for cybersecurity across the EU to ensure that digital products placed on the market are designed and developed with cybersecurity in mind. 

The CRA broadly applies to hardware, software, and digital services in the EU and imposes several requirements on both retailers and product manufacturers. 

For retailers, products must meet certain cybersecurity requirements before they can be sold, including secure development practices, secure configurations, vulnerability management, and the provision of security updates. 

Manufacturers play a crucial role in the Cyber Resilience Act. They must ensure their products comply with CRA cybersecurity requirements. They are also required to conduct risk assessments, provide security support and updates within a defined period, and report vulnerabilities. This empowerment and responsibility are key to the Act’s success. 

The Cyber Resilience Act is not just about enhancing cybersecurity and protecting critical infrastructure. It also significantly aims to harmonize regulations, which is crucial as it ensures uniformity in regulations. Based on the severity of the infraction, fines will be levied for noncompliance. In March, the EU Parliament adopted some of the texts in the CRA, indicating that progress is being made in implementing the CRA. 

The Cybersecurity Act 

The Cybersecurity Act of 2018 (Regulation (EU) 2019/881) aims to strengthen the EU’s cybersecurity framework and enhance the security of networks and information systems across the Union. 

Primarily, the Cybersecurity Act grants a permanent mandate to the European Union Agency for Cybersecurity (ENISA). ENISA provides expertise and support to member states, institutions, and stakeholders and is crucial in implementing EU cybersecurity policies. 

The act establishes an EU-wide cybersecurity certification framework for ICT products, services, and processes. Certificates issued under this framework will be recognized across all EU member states, enhancing trust and security in digital products and services.

Altogether, the aim is to have a standardized approach to cybersecurity to monitor, protect, and maintain a streamlined approach to digital security in the EU. 

IoT Data Protection – Storing and Managing your data

Security in IoT data storage is crucial to protecting sensitive information, preventing data breaches, ensuring privacy, maintaining data integrity, and upholding user trust in the reliability and safety of connected devices and their ecosystems. Most notably, the GDPR governs this in Europe and is a stringent regulation that creates a significant footprint for future regulations worldwide.  

GDPR: A Comprehensive Data Protection Law

The General Data Protection Regulation (GDPR) is a comprehensive data protection law enacted by the European Union (EU) to regulate the collection, storage, and processing of individuals’ personal data within the EU. 

The GDPR, which came into effect on May 25, 2018, replaces the 1995 Data Protection Directive and aims to give individuals greater control over their data while simplifying the regulatory environment for international business by unifying data protection regulations within the EU.

The GDPR applies to all organizations, regardless of location, that process the personal data of individuals within the EU. Personal data is defined as any identifying information, including names, email addresses, location data, and others. 

The GDPR enhances data protection to ensure individuals have more control over their data and promotes transparency in data processing activities while holding organizations accountable for protecting personal data. 

Organizations must adhere to the GDPR, even if based outside the EU, as long as data processing occurs within the EU at any point. Otherwise, supervisory authorities can investigate breaches and impose penalties. 

On the whole, the EU is advanced in its guidelines, policies, and regulations for governing and managing cybersecurity and risk.

IoT Security through Device Protection

IoT device security is essential to protect against cyber threats, prevent unauthorized access, ensure data integrity, and maintain device functionality. It safeguards personal and sensitive information, ensuring the reliability and trustworthiness of the increasingly interconnected and smart technology environment. Device security is an important chain in securing the entire technology stack and garnering more attention in the industry. 

Cyber Trust Mark 

Cyber Trust Mark is a certification and labeling initiative aimed at improving cybersecurity standards, increasing consumer confidence, and promoting best practices within the industry. It indicates that a product or service has been vetted for security, helping consumers make informed choices and encouraging manufacturers to prioritize cybersecurity.

The Cyber Trust Mark signals consumers that a product or service has undergone rigorous testing and meets established cybersecurity criteria. It serves as a quality assurance measure, indicating that the manufacturer or service provider has implemented adequate security measures to protect against cyber threats. The mark applies to a broad range of IoT devices, software, and digital services. 

While this is an effort to improve cybersecurity, there are no penalties associated with it; rather, it encourages organizations and can act as a value-added service. It also creates awareness for consumers. 

Protecting Personal Data with IoT Application Security 

IoT application security is crucial for end users to protect personal data, ensure device reliability, prevent unauthorized access, safeguard against cyber threats, and maintain trust in connected devices and smart environments. While significant work is leveraged to build IoT security into networks and platforms, it’s key to ensure that customer applications are secured as these devices are deployed in the millions worldwide. 

Network and Information Security: The NIS2 Directive 

The NIS2 Directive is an updated EU directive to enhance cybersecurity across the EU. It builds upon the original Network and Information Security (NIS) Directive, the first EU-wide cybersecurity legislation. 

This is an expansion of the original NIS Directive to include more sectors and types of organizations, including essential services, such as energy, transport, banking, financial market infrastructures, healthcare, drinking water supply, and digital infrastructure.

Important services, such as postal and courier services, waste management, chemicals, food production, and manufacturing, are also included. 

Organizations within the scope of NIS2 must implement stricter cybersecurity measures, including risk management, incident reporting, and supply chain security.

The directive sets out specific measures such as regular risk assessments, incident handling, business continuity, crisis management, and cybersecurity training.

The NIS2 Directive introduces greater accountability for management bodies within organizations, ensuring they are directly responsible for cybersecurity practices and compliance.

Non-compliance can result in significant fines and penalties, including sanctions against senior management.

IoT Connectivity and Network Security Resiliency

Network connectivity cybersecurity is vital for protecting data integrity, preventing unauthorized access, mitigating cyber threats, ensuring business continuity, and maintaining the confidentiality of communications. Two particular frameworks help provide a resilient approach to this initiative. 

IoT Security Best Practices: The NIST Cyber Security Framework

The NIST Cybersecurity Framework is a set of guidelines and best practices designed to help organizations manage and reduce cybersecurity risk. Developed by the National Institute of Standards and Technology (NIST) in the United States, the framework is widely used across various industries and sectors to improve cybersecurity and protect critical infrastructure.

The Framework core provides activities and desired outcomes to guide organizations in managing and reducing cybersecurity risk. It is organized into five key functions, each of which includes categories and subcategories:

  • Identify: Develop an understanding of the organization’s environment to manage cybersecurity risk to systems, assets, data, and capabilities. This includes asset management, business environment, governance, risk assessment, and risk management strategy.
  • Protect: Develop and implement appropriate safeguards to ensure the delivery of critical infrastructure services. This includes access control, data security, information protection processes and procedures, maintenance, and protective technology.
  • Detect: Develop and implement appropriate activities to identify the occurrence of a cybersecurity event. This includes anomalies and events, security continuous monitoring, and detection processes.
  • Respond: Develop and implement appropriate activities to respond to a detected cybersecurity incident. This includes response planning, communications, analysis, mitigation, and improvements.
  • Recover: Develop and implement appropriate activities to maintain resilience plans and restore any capabilities or services impaired due to a cybersecurity incident. This includes recovery planning, improvements, and communications.

This framework is widely adopted, comprehensive, and flexible but serves as a guideline rather than a regulation.  

Secure Access Service Edge (SASE)

While not a regulatory effort, SASE, or Secure Access Service Edge, is a cybersecurity concept coined by Gartner in 2019 that works as a framework for network security functions. It describes combining these network security functions with secure web gateways, firewall as a service, and zero trust network access) with wide-area networking (WAN) capabilities to support modern digital enterprises’ dynamic, secure access needs.

Key Components of SASE include:

  • SD-WAN (Software-Defined Wide Area Network):
    • Provides optimized and flexible WAN connectivity.
    • Enhances performance and user experience for cloud applications.
  • Secure Web Gateway (SWG):
    • Protects users from web-based threats by inspecting web traffic.
    • Enforces security policies to prevent access to malicious sites.
  • Firewall as a Service (FWaaS):
    • Delivers firewall capabilities over the cloud.
    • Provides scalable, centralized security management.
  • Zero Trust Network Access (ZTNA):
    • Ensures secure access to applications based on strict identity verification.
    • Operates on a “never trust, always verify” principle.
  • Cloud Access Security Broker (CASB):
    • Acts as an intermediary between users and cloud service providers.
    • Provides visibility, compliance, data security, and threat protection.

The benefits of SASE include:

  • Simplified Security Management: Consolidates multiple security functions into a single service.
  • Improved Performance: SD-WAN routes traffic more efficiently, improving speed and reducing latency.
  • Scalability: Adapts to changing business needs, allowing enterprises to scale up or down easily.
  • Cost Efficiency: Reduces the need for multiple on-premises security appliances, lowering capital expenditure.
  • Enhanced Security Posture: This posture provides comprehensive security across all edges of the network, including remote users, branch offices, and cloud resources.

The Intersection of a SaaS Connectivity Provider and Cybersecurity

The ecosystem for IoT connectivity is already highly complex, with fragmented

technology options, providers, backend systems, and global infrastructure. Meeting regulatory requirements is becoming increasingly mandated worldwide, and tackling cybersecurity challenges should be at the forefront of solution design. 

For SASE initiatives alone, partnering with IoT connectivity providers like floLIVE allows SASE companies to offer comprehensive connectivity solutions tailored to the specific needs of IoT deployments worldwide, whether requirements demand traditional cellular, low power, or satellite connectivity.

Geographical coverage through a singular provider can help streamline and harmonize regulations and support cybersecurity requirements and initiatives because providers like floLIVE specialize in extensive geographical coverage and local expertise in different regions. For SASE companies, in particular, this partnership can help seamlessly extend their network security and services into areas worldwide. 

Collaboration with IoT connectivity providers enables companies to achieve unified management and visibility across network connectivity and security policies. This centralized approach simplifies operations for enterprises deploying IoT solutions, allowing them to manage connectivity and security from a single platform.

Finally,  IoT deployments often require scalability and flexibility in connectivity and security solutions. Partnering with floLIVE and similar IoT connectivity providers enables companies to dynamically scale their services to meet the evolving needs of IoT deployments, whether in terms of device numbers, geographical expansion, or changing connectivity requirements.

Cybersecurity Awareness and Control Expanding

The ecosystem has come a long way in the short time that IoT has been relevant, and as more attention is garnered, the greater the regulatory scope will likely be. As cybersecurity becomes a top-of-mind element in digital transformation, it’s important to understand what is law, what is a suggestion, and how best to secure your solutions. 

With a global presence and offering connectivity around the world, floLIVE understands the regulatory and security ecosystem. 

CommsCloud IoT Connectivity Solutions | Empowering Your Business to Connect, Grow, and Thrive—Contact Us | +27 21 551 5526 | sales@commscloud.com | Get in Touch to learn how we can help you meet these global standards. Follow our journey across Africa with the social media links below.

Connect your IoT projects globally—no contracts, no limits. Scale with CommsCloud today!