KnowHow
Free Technical Resources

The following article covers cybersecurity regulations, security technologies, and security courses offered by Doulos to help you develop and implement an effective security strategy for your organization.

Connected devices are all around us, ranging from wearables to connected cars, from smart fridges to smart TVs, we are all surrounded by these intelligent devices making our lives easier. With the advent of high-speed networks and an ecosystem of supporting services and applications, connected devices have flourished and have impacted almost every area of our lives. Now with growing AI capabilities, these devices are evolving further. It is not surprising that by 2030, it is predicted that the number of connected devices will reach close to 30 Billion (statista.com May 2024).

The proliferation of connected devices has also raised concerns about security breaches compromising product features. These concerns have made regulators look into tightening security regulations for connected devices.

There have been several cybersecurity breaches where security vulnerabilities in connected IoT products have been exploited. The CVE (Common Vulnerabilities and Exposures) website contains thousands of cybersecurity vulnerabilities recorded globally since 1999. Everyday IoT devices such as connected doorbells, pet feeders, thermostats, baby monitors, and many more have been the target of security attacks.  The security vulnerabilities have allowed attackers to gain unauthorized control of  networks and devices, resulting in cyber crimes such as spying and tampering with critical product functionalities. This poses not only regulatory and financial implications for companies manufacturing these products, but also a reputational risk in a competitive market space.

Globally, regulators are introducing or expanding legislation to introduce security requirements for IoT products for the product manufacturers.

In the UK, the Product Security and Telecommunications Infrastructure Act 2022 (PSTI) has come into effect from April 29, 2024. The act aims to enhance the security procedures for consumer IoT products and puts the responsibility on product manufacturers to consider cybersecurity as part of their product design. The scope of the law covers consumer IoT devices such as connected appliances, smartphones, connected cameras and smart home assistants, but excludes some connected devices which are already covered by other regulations, such as medical devices and smart meters.

Some of the key requirements included in this act are:

• Manufacturers need to publish the support period during which customers will receive security updates for their IoT device.
• Manufacturers should have a vulnerability disclosure policy for reporting and managing security vulnerabilities in a product. They should provide clear information to customers on how to report security issues. There should be at least one point of contact for customers to report an issue and they should receive an acknowledgment of their report and status updates until the issue has been resolved.
• The act prohibits the use of universal default passwords for consumer IoT products. The passwords must be unique per product and defined as per the minimum password requirements to minimize security risks.
• Manufacturers need to provide a statement of compliance including information covering details of their products, a defined support period, and a declaration that the product complies with the security requirements mentioned in the act. Serious non-compliance of these requirements risks penalties which amounts to £10 million or 4% of the manufacturer’s global revenue, whichever is higher.

The European Parliament has also recently passed the Cybersecurity Resilience Act (CRA) on March 12, 2024. The Act covers all connected digital products that process data remotely. Like the UK PSTI act, some categories of products such as medical devices, defense and military products and motor vehicles are not in the scope of CRA, as they are regulated through industry-specific legislation. The aim of the CRA is to establish common cybersecurity standards for digital products and connected services sold in the EU market.

CRA will impact manufacturers of digital products operating in the EU. Products are categorized into default, Class I and Class II categories. Class I and II have stricter security requirements and Class II mandates a 3^rd party assessment for compliance.

CRA requires manufacturers to consider the security of the products throughout the entire lifecycle starting from design, production and through to support. The product should consider security factors during the product design phase, such as data encryption and access management, solutions to tackle security risk factors and minimizing the impact of any security attack. The manufacturers should ensure there are no known vulnerabilities in the product. Manufacturers need to provide security updates for 10 years or for the remainder of the support period and maintain a record of any vulnerabilities during the product lifecycle. Any security breach needs to be informed to ENISA (European Union Agency for Cybersecurity) within 24 hours.

The CRA is expected to come into force by mid-2024 and manufacturers will have 36 months to implement the new requirements, except for reporting requirements which apply from 21 months. Fines for non-compliance can be up to €15 million or 2.5% of global annual revenue, whichever is higher.

In the US, the Securities and Exchange Commission (SEC) introduced new cybersecurity rules effective from December 15, 2023. The rules require publicly listed companies in the US to report cyber security incidents, and disclose the impact on the company, within four business days after a company determines that it has experienced a material cyber-incident.

With these and other global regulations impacting cybersecurity requirements and compliance standards, it is not surprising that organizations are prioritizing investment in cybersecurity. The Logicalis Global CIO Report 2024 indicated 83% of CIOs reported that their business had experienced a cyber-attack within the past year, but only 43% of CIOs reported feeling their business was fully equipped to tackle cybersecurity attacks. Gartner’s 2024 Technology Adoption Roadmap for Security and Risk Management report highlights multiple security technologies, in different stages of adoption, that organizations are looking to deploy to strengthen the security of their products.

The deployment of these technologies demands a skilled workforce that can implement the security-by-design approach when developing products to minimize security risks. When working against tough project deadlines mandated by different cybersecurity regulations, a trained team can make all the difference between the success and failure of the project. For such high-impact projects, it is important to have an experienced training partner who can deliver your specific training requirements and make your team project-ready.

This is where Doulos steps in with its security training solutions.

With over 30 years of experience in training engineers in a variety of technical areas, Doulos training is unique as it is delivered by subject matter experts and includes extensive hands-on labs covering all aspects of the design and development process.

Doulos security courses include:

• Embedded System Security for C/C++ Developers: This course provides an awareness of the security issues affecting microcontroller-based embedded systems and teaches approaches to identify and protect against them. Since many of these systems are developed using the C or C++ programming languages, it looks at how C/C++ should be written to avoid security vulnerabilities. It also considers alternative software and hardware-based solutions to ensure that every aspect of the embedded software application from booting, functional operation, data communication and updates is secure. It references relevant sections of the Arm PSA and IoTSF Security Assurance Framework throughout the course.
• Practical Embedded Linux Security: This course covers security topics and technologies widely used to help secure Embedded Linux systems. It teaches how teams can manage their security as a top-down process using a secure development lifecycle methodology. The Yocto build system is used to illustrate how security choices (compiler options, container settings, access control models, etc.) can be implemented at a distribution level. Linux is also a rich environment for adversaries who are likely to invest time to compromise an embedded Linux target in order to establish a versatile and persistent presence. To this end, the course will also help teams identify and manage common vulnerabilities and exposures (CVEs) through the use of well-known testing and vulnerability assessment tools. The course also investigates platform security features such as secure boot and trusted execution environments (TEEs) using a QEMU emulator.

Doulos can help you get your team trained to enable them to comply with cybersecurity regulations.

Take an important step in protecting your organization from cybersecurity threats by enquiring now about our Security courses. Check out the course links above, contact your local Doulos team or complete an enquiry form.