Do the latest IoT regulations have enough reach?

There’s been a rash of regulation around the world as governments seek to address IoT security. It’s a positive step, indicating the market is maturing but regulating the IoT space is not without its challenges. Such moves have inevitably met with resistance from those suggesting it could create IoT waste mountains to others that say it could stymie innovation. Consequently, each piece of legislation is slightly different. But how these regulations fare will shape the evolution of regulation to come making it important that we consider the measures being taken, where they excel and where they fall short, says Ken Munro, partner, Pen Test Partners. The IoT Cybersecurity Improvement Act 2017 (US): Aimed at controlling the IoT within the US government, the IoT Cybersecurity Improvement Act could hold profound implications for IoT development. Devices must not exhibit known security flaws in the NIST database, must support updates, must use fixed or hard coded credentials for remote admin, updates and communication, and vulnerabilities must be disclosed and repaired. However, limiting the flaws to NIST could see common issues not listed such as SQL injection in customer apps overlooked. It also fails to acknowledge that many RF protocols are designed to use no credentials at all so these devices would need to be scrapped or upgraded to support a tighter wireless protocol. The Act has yet to be passed and others on the table include Smart IoT Act, the DIGIT Act, the Security IoT Act, the Cyber Shield Act and the IoT Consumer TIPS Act.