Across multiple industries we see a drive to digitize and embrace new and connected technologies that promise to bring advanced levels of services and efficiencies. As digital transformation takes off across all sectors, the number of connected devices is rapidly surging. Unfortunately, the attention from hackers and adversaries has also grown - leading to a number of high-profile hacks and attempts to disrupt lives. As more hacks hit the headlines, it’s only natural that governments have started to wake up to the need to protect consumers.
It's always been important for manufacturers to take responsible steps towards secure devices, but as regulators work on guidance documentation - and ultimately regulation - it’s more important than ever to ensure that devices are shipped with a baseline of security. I’ve heard from manufacturers that the regulatory landscape is quite confusing – as they need to navigate both regional and industry-specific standards. Keeping track of these is starting to slow down innovation (as compliance introduces bottlenecks - time, resources and bandwidth are finite), but they also can’t ignore them as standards will unlock assurance at scale. The good news is that we believe that it’s not as confusing as it initially seems – as there is a good amount of consensus on what devices need to be “secure” – it just needs a bit of deciphering.
Some of the key challenges facing manufacturers with regard to security
So, how do we, as businesses, get ready for upcoming regulation and to ultimately reduce the threat of cyber-attacks, without causing a lag in innovation? Well, at PSA Certified, we believe that we need to move beyond a scattered, fragmented and inconsistent approach to security. Instead adopting something that is more of a unified approach. From the outset, our vision was to collaborate – offering a framework and certification program to make security adoption simpler for the entire IoT ecosystem.
PSA Certified adopts an approach that all connected devices need a 'minimum' set of security requirements, underpinned by a Root of Trust. The baseline we’ve created wasn’t made in isolation, in fact, we actively review the emerging laws, regulations and baseline requirements to make sure they are in scope of the advice we’re giving to the ecosystem. First, it’s inspired by the PSA Certified 10 security goals – these are 10 goals that every connected devices need to resist some of the most common threats in our connected ecosystem. Secondly, it provides alignment with security laws, requirements and regulations, including: NIST 8259A (IoT Device Cybersecurity Capability Core Baseline*), EN 303 645 (Cyber Security for Consumer Internet of Things: Baseline Requirements), California State Law (SB-327) and emerging regulations from the UK's Department for Digital, Culture, Media & Sport (DCMS).
The scope of key upcoming regulation and how PSA Certified Level 1 maps
This work is rolled into our baseline security certification known as PSA Certified Level 1 which allows you to ‘rubber stamp’ your products to demonstrate that you meet multiple cybersecurity baseline requirements and show that you have met regionally important regulations. Ultimately, the framework makes it quicker, easier and more cost-effective to design security into a device – getting you ready for regulation as they emerge but more importantly helping to prevent some of the most common device vulnerabilities and prevent IoT cyber incidents. The best bit is that the team looking after the documents are frequently reviewing the technology landscape and ensuring we make periodical updates.
As an industry, we have an important role to play in building people’s trust in the IoT, which is fundamental to the acceptance of new technologies. PSA Certified offers you a framework to gain fast compliance to upcoming regulation, giving you a route to lead the adoption of a more secure connected world.