Why We Need Safety, Resilience, and Security Integrated in IoT Regulation
By Roland Atoui
Our Information Communication Technologies (ICT) are currently advancing faster than regulation can follow them — and it’s been causing problems. When governance becomes outdated owing to the changes in the threat level or evolution of systems, our capability to make our systems secure decreases.
It’s clear that instead of frantically trying to update regulation to adjust it to the current level of technology, we should strive to make regulation more flexible instead. In cybersecurity terms, that means integrating safety, resilience, and security by design in regulation. Let’s have a closer look at the problem of trying to make regulations more efficient.
Our Current Adopted Regulations
More often than not, a product needs to be “type approved” to confirm it’s made according to technical standards. But what happens when the specification for the ICT product has changed, and it is now different than what the regulations state?
The UK has experienced some of those problems after opting to leave the EU, as they have to decide what to do with the EU regulations that they are using. Rules do not change quickly enough to accommodate the lightning-fast advancement of technologies, so there has to be a different approach.
The Conflicts of Safety and Security in Current Regulations
One of the major problems of current regulations is the frequent clashing of safety and security standards. For example, in safety cases, it’s assumed that any independent safety function failures happen independently, which is not the case in the event of a cyber attack. It’s also a frequent occurrence for safety to demand access where security restricts it because these two aspects of regulative actions use two very different approaches.
Unfortunately, this kind of division is counterproductive, as they limit the scope of each other and come in the way of an integrated approach that would be more effective.
Conflicting directives further complicate the problem, as the confusion and partial adhering to them creates gaps in the security of systems. Companies tend to avoid specific guidelines and regulations and only design products that fit a single directive, which breaks safety rules.
In eliminating conflicting directives, there needs to be a thorough review of regulations, especially in industries where companies already keep up a high standard of safety, such as healthcare. The study would aim to see where resilience and cyber safety could incorporate into the regulations in a way that is flexible enough not to demand constant changes.
Cybersecurity Certification and Future of Regulation
Some of the discrepancies come from regulatory bodies and industrial consortia having different outlooks on the problem of cybersecurity and certification. For consortium and agencies, the focus is on consumer issues and convenience. It is why we need more technical expertise in regulatory bodies, and people who will be able to review safety regulations with cybersecurity threats in mind. What’s more, they need to be able to discharge resilience duties and come up with new approaches to ensure the integration of safety and resilience practices.
Europe has always been leading the certification and the security area about technology. Legislation is an opportunity to have a harmonized market for security, with the eiDAS Regulation for identity management, the GDPR, or the Cybersecurity Act. This legislation brings a whole field of work, putting the consumers and the citizens in the center of businesses’ reflections.
The EU’s new Cybersecurity Act aims to improve EU cyber resilience and response by building upon existing instruments that keep networks and information systems secure.
EU Cybersecurity Certification Framework will make it easier for ICT manufacturers and developers to serve the EU market. A unified certification framework across all of EU will reduce the effects a fragmented market has on the online economy.
Eurosmart is driving a great initiative to innovate the certification scheme concept and protect the consumer by defining a substantial level certification framework for IoT devices. These IoT devices will be integrated in machinery such as smart TVs, Connected Cameras, Smart locks Smart Heat which then should go on the safety certification to make sure the product isn’t impacting the health of the user.
Finally, it’s becoming increasingly essential to create robust regulations and certification schemes that wouldn’t be made obsolete by the advancement of our technologies. An approach that would unify the critical principles of safety, security and resilience instead of continuing to pit them against each other is long overdue. That will make it much easier to ensure the cybersecurity of all of our systems on a scale.