Beyond the Regulatory Landscape of the Internet of Things

By Charmaine Ng, Director of Asia Pacific Digital Policy, Schneider Electric

The Internet of Things (IoT) has been around for at least four decades, yet mostly ignored until now, and still poorly understood. In its simplest form, IoT is simply a device with a sensor that collects and transmits data over the Internet. At a more sophisticated level, it is connected to an analytics system to generate insights. At an even more sophisticated level, it is responsive.

It was in the 1980s when people first started adding sensors to devices – university students modified a Coca-Cola vending machine to allow remote tracking of the machine’s contents. But it was not until Kevin Ashton proposed putting radio-frequency identification chips on products to track them through a supply chain that this phenomenon was christened “IoT.”[1]

Since as early as 2008, there were already more connected devices than people in the world. The World Economic Forum predicts that by 2025, 41.6 billion devices will be capturing data on how we live, work, and commute.[2]

The IoT space is growing at a pace that is difficult for policymakers and society to gain a solid grasp of its privacy and security implications. As a result, there is a regulatory gap, unintentionally permitting some IoT manufacturers to ship products without cybersecurity in mind. To contextualize this, where there is no expectation of compliance with an internationally recognized standard such as the IEC 62443, it is cheaper, faster, and easier to ship IoT devices with default credentials instead of hiring cybersecurity experts to code in forced password changes (and complex password requirements) which may be perceived as inconveniencing customers. When IoT devices are not secure, attackers are presented with numerous entry points from which to launch an attack, steal data, disrupt lives, and in some cases, put lives at risk.

Beyond the regulatory landscape

We observe governments beginning to proactively manage cybersecurity risks as part of a nation’s overall strategy. In APAC significant efforts from the governments of Australia, China, Singapore, and Vietnam are underway to raise the bar on cybersecurity. The Singapore Cyber Security Agency[3] introduced the cybersecurity labelling scheme earlier this year, setting the trend for other jurisdictions like the United States[4] and the European Union[5] to also start thinking about introducing minimum cybersecurity standards. This is yet another example of how “small states in a big world” – to borrow the title of Singapore’s Ambassador-at-Large and Professor Tommy Koh’s book – are punching above their weight and setting global policy trends. At Schneider Electric, cybersecurity and data protection are integral to our core strategy.[6] Part of our commitment to our customers, whether industrial or retail, is that we maintain a cybersecurity posture that lowers the risk of our products becoming an attack vector for our customers.

We take a proactive approach and view cybersecurity as a business risk that requires the right levels of attention and resources to convert it from an operational expenditure to a strategic differentiator that can help ensure the loyalty of our customers. It is important that our consumer IoT products are not just incredibly functional products but are incredibly functional products that people feel safe and secure using in their homes. We encourage and facilitate thoughtful conversations to reduce technical barriers to entry and to promote innovation through the harmonization of globally-aware cybersecurity policies.

For manufacturers, it is also important to keep in mind that compliance with the regulatory regime is just the beginning; we must have a mature, risk-managed cybersecurity program that continually adapts to a shifting threat landscape. For those who are thinking about how to enhance cybersecurity in their IoT products, the Cybersecurity Tech Accord’s dedicated IoT security resource hub[7] is a good place to start.

Conclusion

We all own or use at least one connected device, whether at home, at the office, or when commuting to work. IoT has integrated itself so seamlessly into our lives that we barely notice it. It is precisely this level of integration into our daily lives that manufacturers like us must be committed to ensuring cybersecurity-by-design in our products, for the security of our customers, and for the resilience of our shared cyberspace. But we cannot do this alone. We need closer public-private and industry-wide partnerships to continuously raise the bar on cybersecurity. Let’s do more, together.

* This publication includes minor editorial edits by the Cybersecurity Tech Accord.


[1] https://www.weforum.org/agenda/2021/03/what-is-the-internet-of-things/

[2] https://www.weforum.org/agenda/2021/03/what-is-the-internet-of-things/

[3] https://www.csa.gov.sg/Programmes/certification-and-labelling-schemes/cybersecurity-labelling-scheme/about-cls

[4] https://www.whitehouse.gov/briefing-room/statements-releases/2022/10/11/fact-sheet-biden-harris-administration-delivers-on-strengthening-americas-cybersecurity/

[5] https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act

[6] https://download.schneider-electric.com/files?p_Doc_Ref=SECyberSecurity  

[7] https://cybertechaccord.org/iot-security/resources-for-iot-device-manufacturers/