There are an estimated 7.74 billion IoT connected devices worldwide and this number is predicted to increase to 29 billion by 2030. In recent months, we have seen some big announcements in the move for connected devices to become more resilient against cybercrime. This includes the new global standard from the Connectivity Standards Alliance (CSA) and the European Union’s (EU’s) Cyber Resilience Act proposal. But how are these efforts going to make devices hardened to resist cyberattacks.
How is the Connectivity Standards Alliance (CSA) Going to Globally Unify How We Secure Devices?
Until now, there has not been a simplified, globally accepted standard for connecting IoT devices which has led to consumers having multiple, confusing methods of connecting them at home. The Connectivity Standards Alliance (CSA) aims to transform this whilst ensuring new devices are secure with a new global standard. The standard, known as Matter, encourages interoperability between devices and platforms and developing the future of the smart home.
Read also: GlobalSign Joins the Connectivity Standards Alliance
Learn more about IoT Device Security
What is the Cyber Resilience Act?
The Cyber Resilience Act proposal was published by the EU in September 2022, and is a regulation which aims to bolster cybersecurity rules to ensure the hardware and software products marketplace in the EU market are more secure.
Hardware and software products are increasingly becoming subject to cyberattacks, and estimated to cost €5.5 trillion globally. Currently, the EU legal framework does not address cybersecurity of non-embedded software, and so two main objectives were identified in the proposal:
- To place hardware and software products on the market with fewer vulnerabilities, by creating conditions for the development of secure products with digital elements and ensure that manufacturers take security seriously throughout a product’s life cycle
- Allow users to take cybersecurity into account when selecting and using products with digital elements
How will the Proposed Cyber Resilience Act Secure Devices?
The first EU-legislation of its kind, the Cyber Resilience Act will introduce mandatory cybersecurity requirements for products with digital elements, throughout their whole lifecycle. This is expected to be both in consumer and industrial products. The proposed measures include a framework that spans across the value chain from planning, design and development to maintenance and ongoing support.
What are Manufacturer’s Obligations Under the Proposed Cyber Resilience Act?
- Cybersecurity is taken into account in all phases; planning, design, development, production, delivery and maintenance
- All cybersecurity risks are documented
- Actively exploited vulnerabilities and incidents will have to be reported
- Once sold, manufacturers must ensure that for the expected product lifetime or for a period of five years (whichever is the shorter), vulnerabilities are handled effectively
- Clear and understandable instructions for the use of products with digital elements
- Security updates to be made available for at least five years
When Can We Expect to See the Cyber Resilience Act Come Into Force?
The Cyber Resilience Act is currently being reviewed by the European Parliament and Council. If the proposal is adopted and enters into force, economic operators and Member States will have two years to adapt to the new requirements.
It should be noted that the obligation to report actively exploited vulnerabilities and incidents will apply after one year.
How Can Connected Devices Be Secured Now?
While the proposed CRA is a significant development, there are steps you can take to secure devices now with Public Key Infrastructure (PKI) technology.
PKI delivers a trusted IoT experience backed by secure digital certificates and with GlobalSign’s IoT Identity Platform device security becomes scalable, flexible and interoperable.