How IoT Device Security Challenges Impact Regulatory Compliance

The security challenges of connected devices haven't gone unnoticed by regulatory bodies. In response to growing threats and incidents, governments worldwide have introduced increasingly stringent regulations specifically targeting connected device security. Understanding and complying with these evolving requirements has become a major challenge for manufacturers and deploying organizations.

Key regulations include:

EU Cyber Resilience Act (CRA): This landmark regulation, expected to be fully implemented by 2027, introduces mandatory security requirements for products with digital elements. The CRA emphasizes security by design principles, vulnerability management processes, and comprehensive documentation of security measures. To comply, manufacturers will need to perform conformity assessments and maintain security support throughout a product's lifecycle.

Product Security and Telecommunications Infrastructure (PSTI) Act (UK): Enacted in 2022, this law bans default passwords, requires transparency about security update support, and mandates vulnerability disclosure policies for consumer IoT products.

NIS2 Directive (EU): Building on the original Network and Information Security Directive, NIS2 expands cybersecurity requirements to additional sectors and imposes stricter risk management measures, incident reporting obligations, and supply chain security requirements. Organizations deploying connected devices in critical infrastructure must ensure these devices meet heightened security expectations.

NIST IoT Cybersecurity Framework: While not a regulation itself, this framework from the National Institute of Standards and Technology provides guidance that increasingly informs regulatory requirements in the US, like the US Cyber Trust Mark. It emphasizes secure development practices, risk assessment methodologies, and security control implementation for connected devices.

FDA Cybersecurity Requirements (Healthcare IoT): The Food and Drug Administration has strengthened cybersecurity expectations for medical devices through its pre-market submission guidance and post-market security management requirements. 

The Ponemon Institute found that 89% of healthcare organizations experience almost one attack per week.

Across these diverse frameworks, common requirements emerge: security by design principles, vulnerability management processes, transparency about security practices, and ongoing security updates throughout a product's lifecycle.

Compliance Challenges for IoT Manufacturers

These regulatory frameworks create significant compliance challenges for connected device manufacturers:

• Tracking and Securing Third-Party Components: The complex supply chains behind connected devices make compliance documentation extremely challenging. When a single device might incorporate dozens or even hundreds of components from different suppliers, ensuring and documenting the security of each component becomes a massive undertaking. 
  
  
• SBOM Requirements: Software Bills of Materials (SBOMs) are becoming a regulatory expectation. These comprehensive inventories of all software components within a device are essential for vulnerability management but difficult to create and maintain manually. 

Gartner predicted 60% of organizations responsible for critical infrastructure software will mandate and standardize SBOMs in their software engineering practices by 2025 -- an uptick from less than 20% in 2022.

• Continuous Security Assessments: Regulatory frameworks increasingly require ongoing security testing and assessments throughout a product's lifecycle. For resource-constrained manufacturers, conducting regular penetration tests, vulnerability scans, and security audits represents a significant operational burden.

• Firmware Vulnerability Management: Regulatory frameworks increasingly expect manufacturers to provide timely security updates for known vulnerabilities, a requirement that can be technically difficult and costly to fulfill without automated vulnerability management.
  
  
• Authentication and Access Control: Regulatory requirements around strong authentication clash with the reality of many connected devices that still rely on weak access controls. Implementing robust authentication mechanisms while maintaining usability and performance is a significant challenge.
  
  
• Supply Chain Risk Management: Regulations increasingly hold manufacturers responsible for security throughout their supply chain, requiring formal vendor assessment processes, contractual security requirements, and ongoing monitoring. 
  
  
• Resource Constraints: The technical limitations of many connected devices make implementing certain security controls required by regulations difficult or impossible. Balancing compliance requirements with device capabilities remains a persistent challenge.

Penalties for Non-Compliance

The consequences of failing to meet regulatory requirements are becoming increasingly severe:

• Financial Penalties: Under frameworks like the EU Cyber Resilience Act, non-compliance can result in fines up to €15 million or 2.5% of worldwide annual turnover, whichever is higher. Even smaller regulatory actions can result in significant financial impact.
  
  
• Market Access Restrictions: Non-compliant products may be prohibited from sale in regulated markets. For example, the UK's PSTI Act enforces compliance by restricting non-compliant devices from the UK market, potentially cutting manufacturers off from millions of customers.
  
  
• Mandatory Recalls: Regulatory bodies like the FDA have the authority to order recalls of devices with significant security vulnerabilities. 

In 2017, the FDA recalled almost 500,000 pacemakers due to cybersecurity concerns, costing the manufacturer millions in recall expenses

• Reputational Damage: Beyond direct regulatory consequences, security failures can devastate brand reputation. 

75% of U.S consumers would stop purchasing from a company that suffered a cyber incident 

Finite State equips connected device manufacturers with the tools and expertise to navigate regulatory complexity with confidence. From automated SBOM generation and vulnerability management to penetration testing and secure development lifecycle guidance, our platform and advisory services are purpose-built for today’s compliance demands.

Don't let compliance risk stall your innovation 👉  Talk to Finite State to learn how we can help you build secure, compliant products faster.