IoT Cybersecurity: 29 Security Laws, Regulations, Standards, and Best Practices
An easy to reference table with summaries and links to each of the twenty-nine
Internet of Things (IoT) cyber security has come a long way over the past five years. The Miller-Valasek hack of 1 million plus vehicles (you can see the very funny Charlie Miller Chris Valasek DEF CON 23 presentation here) opened many eyes.
The awareness for the need for cyber security in connected embedded devices (a.k.a. IoT devices) has grown significantly since then. In response, new cyber security teams, industry groups, and even a new ISAC have been formed (you can learn more about the Automotive ISAC here). Many best practice recommendations, standards, regulations, and laws have been issued. There is actually a surprising number as you can see from the table below.
The list looks overwhelming but breaking it down by industry is a good first step to understand what is relevant to your products. A good second step is realizing that there is quite a bit of commonality ranging from Threat Analysis and Risk Assessments (TARA), to security features required in IoT products, to life-cycle management.
In the comings months we will profile a number of the laws/standards/best practices listed below. The goal is to have a single resource to help clarify which applies to what sort of IoT products and how.
If you have recommendations of which you would like to see profiled first, let me know.
| Law / Standard / Group | Description Related to IoT Security | |
|---|---|---|
| 1 | IoT Cybersecurity Improvement Act of 2020 | Sets cybersecurity standards & vulnerability disclosure process for IoT devices used by the federal goverment |
| 2 | California Law SB-327 | First law targeted at IoT security ( a.k.a California password law ) |
| 3 | Oregon Law HB 2395 | Second law targeted at IoT security (a.k.a. Oregon Password Law) |
| 4 | NISTIR 8259 | Foundational Cybersecurity Activities for IoT Device Manufacturers |
| 5 | NISTIR 8259A | IoT Device Cybersecurity Capability Core Baseline |
| 6 | UNECE WP.29 | United Nations regulation for automotive cyber security (in draft) |
| 7 | ISO / SAE 21434 | Automotive cybersecurity standard under definition |
| 8 | AutoSAR | Automotive software standard that includes cryptographic services |
| 9 | Trusted Information Security Assessment Exchange (TISAX) | A standard based on ISO 27001 / 27002 and exchange for information security assessments |
| 10 | CTIA | Internet of Things (IoT) Cybersecurity Certification |
| 11 | NIST 800-82 | Industrial Control System Security |
| 12 | ANSI / ISA / IEC 62443 | Security for Industrial Automation and Control Systems |
| 13 | U.K. IoT Law | Proposals being consider for a consumer IoT cybersecurity law in the United Kingdom |
| 14 | ETSI 303 645 | Cyber Security for Consumer Internet of Things: Baseline Requirements |
| 15 | GDPR | General Data Privacy Regulation in Europe |
| 16 | Wifi | Cyber security included in standard |
| 17 | Bluetooth | Cyber security included in standard but also NIST has a specific guide to Bluetooth security |
| 18 | Zigbee | Cyber security included in standard |
| 19 | Automotive ISAC | Automotive industry group for cyber security information sharing that has published 7 best practice guides |
| 20 | NHTSA | National Highway Traffic Safety Administration in the U.S. published a best practices guide and other cybersecurity related information |
| 21 | Open Connectivity Foundation (OCF) | Industry consortium that includes IoT cyber security in their standard |
| 22 | ARM Platform Security Architecture | Software framework and security certification program from ARM |
| 23 | Edge X | Edge computing standard with open source software |
| 24 | Industrial Internet Consortium (IIC) | Offers a comprehensive industrial internet of things cybersecurity framework document |
| 25 | National Motor and Freight Traffic Association | Group that offers multiple best practices recommendations for trucks and EV chargers |
| 26 | OWASP | A group that offers projects, guidance, and is known for their top 10 security risks list |
| 27 | IoT Security Foundation | Industry consortium for cyber security certification with labeling |
| 28 | Amazon AWS IoT | Includes a security standard |
| 29 | Microsoft Azure Sphere | Includes a security standard |
To learn more how BG Networks' engineering services can help develop software to meet a certification or comply to a particular standard, see our services page at the link below