IoT Cybersecurity: 29 Security Laws, Regulations, Standards, and Best Practices

An easy to reference table with summaries and links to each of the twenty-nine

Internet of Things (IoT) cyber security has come a long way over the past five years. The Miller-Valasek hack of 1 million plus vehicles (you can see the very funny Charlie Miller Chris Valasek DEF CON 23 presentation here) opened many eyes.

The awareness for the need for cyber security in connected embedded devices (a.k.a. IoT devices) has grown significantly since then. In response, new cyber security teams, industry groups, and even a new ISAC have been formed (you can learn more about the Automotive ISAC here). Many best practice recommendations, standards, regulations, and laws have been issued. There is actually a surprising number as you can see from the table below.

The list looks overwhelming but breaking it down by industry is a good first step to understand what is relevant to your products. A good second step is realizing that there is quite a bit of commonality ranging from Threat Analysis and Risk Assessments (TARA), to security features required in IoT products, to life-cycle management.

In the comings months we will profile a number of the laws/standards/best practices listed below. The goal is to have a single resource to help clarify which applies to what sort of IoT products and how.

If you have recommendations of which you would like to see profiled first, let me know.

Law / Standard / GroupDescription Related to IoT Security
1IoT Cybersecurity Improvement Act of 2020Sets cybersecurity standards & vulnerability disclosure process for IoT devices used by the federal goverment
2California Law SB-327First law targeted at IoT security ( a.k.a California password law )
3Oregon Law HB 2395Second law targeted at IoT security (a.k.a. Oregon Password Law)
4NISTIR 8259Foundational Cybersecurity Activities for IoT Device Manufacturers
5NISTIR 8259AIoT Device Cybersecurity Capability Core Baseline
6UNECE WP.29United Nations regulation for automotive cyber security (in draft)
7ISO / SAE 21434Automotive cybersecurity standard under definition
8AutoSARAutomotive software standard that includes cryptographic services
9Trusted Information Security Assessment Exchange (TISAX)A standard based on ISO 27001 / 27002 and exchange for information security assessments
10CTIAInternet of Things (IoT) Cybersecurity Certification
11NIST 800-82Industrial Control System Security
12ANSI / ISA / IEC 62443Security for Industrial Automation and Control Systems
13U.K. IoT LawProposals being consider for a consumer IoT cybersecurity law in the United Kingdom
14ETSI 303 645Cyber Security for Consumer Internet of Things: Baseline Requirements
15GDPRGeneral Data Privacy Regulation in Europe
16WifiCyber security included in standard
17BluetoothCyber security included in standard but also NIST has a specific guide to Bluetooth security
18ZigbeeCyber security included in standard
19Automotive ISACAutomotive industry group for cyber security information sharing that has published 7 best practice guides
20NHTSANational Highway Traffic Safety Administration in the U.S. published a best practices guide and other cybersecurity related information
21Open Connectivity Foundation (OCF)Industry consortium that includes IoT cyber security in their standard
22ARM Platform Security ArchitectureSoftware framework and security certification program from ARM
23Edge XEdge computing standard with open source software
24Industrial Internet Consortium (IIC)Offers a comprehensive industrial internet of things cybersecurity framework document
25National Motor and Freight Traffic AssociationGroup that offers multiple best practices recommendations for trucks and EV chargers
26OWASPA group that offers projects, guidance, and is known for their top 10 security risks list
27IoT Security FoundationIndustry consortium for cyber security certification with labeling
28Amazon AWS IoTIncludes a security standard
29Microsoft Azure SphereIncludes a security standard

To learn more how BG Networks' engineering services can help develop software to meet a certification or comply to a particular standard, see our services page at the link below

 

 

Recent Related Stories

FDA Medical Device Cybersecurity Requirements: New Mandate & Enforcement Schedule
Cybersecurity of medical devices has been an increasing area of focus by the United States government in recent years.  The…
Read More
Consumer IoT Cybersecurity Labeling Program Launching in the U.S.
Image Credit: N. Hanacek/NIST The Seven Things Consumer Device Manufactures Need to Know to Prepare. In the wake of the…
Read More
Embedded Processor Security Features You Should Be Using in Your IoT Design
Today’s embedded processors are increasingly including built-in security features to enable robust cybersecurity in IoT devices. Features such as secure…
Read More