By: Thorsten Stremlau

Across the globe, Internet-of-Things (IoT) devices continue to underpin operations in most critical industries. The benefits these devices bring to businesses are invaluable, as is reflected in their continued popularity. By 2027, over 29 billion connected devices are expected to be online, a significant increase from the 17.08 billion currently in use.

However, 56 percent of businesses currently they lack the proper awareness and expertise to adequately prepare for an IoT-focused cyberattack. This should be a major cause of concern, not least because between 2022 and 2023 alone, these types of attacks increased by approximately 400 percent. If businesses lack the skills to protect themselves against attacks, then the onus falls on device manufacturers to ensure the necessary levels of cyber protection.

Thankfully, action has been taken worldwide to ensure manufacturers take their responsibilities seriously. A number of key acts and regulations have been rolled out by government institutions and regulators to enhance IoT device security within their respective markets.

Looking After the Consumer

In March 2024, the United States’ Federal Communications Commission (FCC) introduced a voluntary labeling program for wireless IoT products. This includes the U.S Cyber Trust Mark, which will appear on wireless consumer technologies which have met the FCC’s rigorous standards. The approved products will also display a QR code which leads to detailed security information such as whether its software patches are automatic.

Devices ranging from home security cameras and voice-activated shopping devices to internet-connected appliances, fitness trackers, and garage door openers have all been identified as suitable for the Cyber Trust Mark.

You only need to look to the news to see why. In 2023, Ring was accused by the Federal Trade Commission of failing to implement essential security measures in a $5.6 million USD lawsuit. As a result, hackers were able to take control of customer accounts, with over 117,000 consumers affected. Before this incident, over 60 million records were exposed by an unsecured fitness tracking database. It’s these types of incidents the FCC is aiming to thwart through the Cyber Trust Mark.

Securing the Healthcare Sector

For IoT devices deployed in healthcare applications, there is another relevant piece of legislative action: the Protecting and Transforming Cyber Healthcare (PATCH) Act.

Healthcare institutions remain a key target for attackers, with two unfortunate records set in 2023: the most data breaches and the most breached records. The U.S Department of Health and Human Services’ Office for Civil Rights (OCR) saw 725 reported data breaches and 133 million exposed records reported to them that year alone, while 79.7 percent of the total data breaches within the sector directly resulted from hacking attempts.

To better protect patients’ sensitive information, the US Congress passed the PATCH Act in March 2023. Designed to provide a better framework for cybersecurity measures, this legislation empowers the U.S Food and Drug Administration (FDA) to take stronger action against manufacturers who lack proactivity when it comes to cybersecurity.

Manufacturers developing new IoT solutions for the healthcare sector must now provide details of their processes to the FDA so any vulnerabilities can be identified and mitigated prior to market launch. They must also disclose a Software Bill of Materials (SBOM), which details of all components found within a device, be it commercial, open-source or anything in between.   

SBOMs remain an overlooked element of security. By checking catalogues of known exploits, businesses can see whether any components within their own devices are vulnerable. Yet less than 20 percent of organizations mandated them as part of their engineering practices in 2022. By making SBOMs a mandatory element of the PATCH Act, Congress is essentially dictating that businesses must now become familiar with these inventories and assigning them greater responsibility for protecting end users.

The View from Europe

Recent attacks have also highlighted the need for greater security for IoT devices sold throughout Europe. Attacks have been leveled against everything from electric vehicle charging ports and rail communication equipment to smart televisions and other consumer equipment.

With hacking attempts growing in both volume and complexity, the European Commission (EC) has introduced "2014/53/EU" to establish a regulatory framework for radio equipment. The “Radio Equipment Directive” (RED) outlines essential requirements for device manufacturers that must be fulfilled if they are to sell products within the European Union (EU). Despite a brief postponement, the RED is expected to become mandatory for any device type that transmits or receives radio signals. For example, 4G/LTE/5G cellular and Wi-Fi enabled devices, as well as radio, television,