STEPS FORWARD: Regulators are on the move to set much needed IoT security rules of the road

By Byron V. Acohido

New government rules coupled with industry standards meant to give formal shape to the Internet of Things (IoT) are rapidly quickening around the globe.

Preserving privacy for a greater good

This is to be expected. After all, government mandates combined with industry standards are the twin towers of public safety. Without them the integrity of our food supplies, the efficacy of our transportation systems and reliability of our utilities would not be what they are.

When it comes to IoT, we must arrive at specific rules of the road if we are to tap into the full potential of smart cities, autonomous transportation and advanced healthcare.

In the absence of robust, universally implemented rules of the road, cybercriminals will continue to have the upper hand and wreak even more havoc than they now do. Threat actors all-too-readily compromise, disrupt and maliciously manipulate the comparatively simple IoT systems we havein operation today.

I had an eye-opening conversation about all of this with Steve Hanna, distinguished engineer at Infineon Technologies, a global semiconductor manufacturer based in Neubiberg, Germany. We went over how governments around the world are stepping up their efforts to impose IoT security legislation and regulations designed to keep users safe.

This is happening at the same time as tech industry consortiums are hashing out standards to universally embed security deep inside next-gen IoT systems, down to the chip level. There’s a lot going on behind the scenes. For a full drill down on my discussion with Hanna, please view the accompanying videocast. Here are a few takeaways:

Minimum requirements

A few years back, a spate of seminal IoT hacks grabbed the full attention of governments worldwide. The Mirai botnet, initially discovered in October 2016, infected Internet-connected routers, cameras and digital video recorders at scale. Mirai then carried out a massive distributed denial-of-service (DDoS) attacks that knocked down Twitter, Netflix, PayPal and other major web properties.

Then in 2017, clever attackers managed to compromise a smart thermometer in a fish tank, thereby gaining access to the high-roller database of a North American casino. Soon thereafter, white hat researchers discovered and disclosed pervasive vulnerabilities in hundreds of millions of smart home devices such as cameras, thermostats and door locks.

In 2018, UK regulators got the regulatory ball rolling taking steps that would eventually result in mandated minimum requirements for IoT data storage, communications and firmware update capabilities. The U.S., other European nations and Singapore soon began moving in this direction, as well. The U.S. National Institute of Standards and Technology (NIST,) for instance, has since developed a comprehensive set of recommended IoT security best practices.

In 2023, the U.S. announced a cybersecurity certification and labeling program to help Americans more easily choose smart devices that are safer and less vulnerable to cyberattacks. The new “U.S. Cyber Trust Mark” program raises the bar for cybersecurity across common devices, including smart refrigerators, smart microwaves, smart televisions, smart climate control systems, smart fitness trackers, and more.

Guest expert: Steve Hanna, Distinguished Engineer, Infineon Technologies

“We’re moving to a world where IoT cybersecurity will be table stakes” Hanna told me. “It’s going to be required in every IoT product and governments will have their own checklist of IoT requirements, similar to what we have for electrical equipment.”

Harmonizing the baseline

The efforts by regulators and technologists to establish a baseline for IoT safety has, as might’ve been expected, given rise to conflicts and redundancies. “At the moment, we have a Tower of Babel situation where each nation has its own set of requirements and it’s a big challenge for a manufacturer how they get their product certified in multiple places,” Hanna says.

Harmonizing of different requirements across multiple nations needs to happen, Hanna argues, and this quest is made even more challenging because of the sprawling array of IoT device types. This is, in fact, precisely what a tech industry consortium, calling itself, the Connectivity Standards Alliance, has set out to tackle head on, he says.

“Basically, we’re creating, shall we say, one certification to rule them all,” Hanna told me. “We’re going to bring together all the requirements from these national and regional certifications and say if you get this one certification from CSA, then that indicates you’re compliant with all of the national or regional requirements, no matter where they might come from. And your product can then be sold in all of those different regions.”

The technologists are striving to resolve a profound pain point, in particular, for IoT device makers facing the prospect of needing to test and certify their IoT products in 50 different locales. “If I can test it once against a set of requirements that I understand, then that’s much less expensive,” Hanna says.

Safety labels

The give-and-take vetting of emerging standards that’s now unfolding reflects a tried-and-true dynamic; it’s how we arrived at having detailed food additive labels we can trust on every item on supermarket shelves and it’s why we can be sure no electrical appliance in our homes poses an egregious hazard.

Related: The need for supply chain security

The ramping up of IoT rulemaking and standards-building portends a day when we won’t have to worry as much as we now do about directly encountering badness on the Internet.

I asked Hanna about what individual citizens and small business owners can do, and he indicated that staying generally informed should be enough. He noted that the regulators and tech industry leaders are cognizant of the need to foster consumer awareness about the incremental steps forward. The push behind the new Matter home automation connectivity standard introduced in late 2022 being a case in point.

“We can’t expect the consumer to be an expert on IoT cybersecurity, that’s just not realistic,” he says. “What we can ask them to do is to look for these security labels coming soon to IoT products . . . you just can’t buy an unsafe extension cord anywhere today; only the ones with the proper safety inspections get sold. I hope the same will be true in five or 10 years for IoT products, that all of them are adequately secure and they all have that label.”

This is all part of a maturation process that must happen for digital systems to rise to the next level. I’ll keep watch and keep reporting.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)


Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone