Iain Davidson, Senior Product Manager at Wireless Logic, has a 30-year career spanning hardware, software development, systems engineering, marketing, business development and product marketing. Working in the IoT space for more than half of his career, he is driven by IoT’s positive impact on sustainability and using technology for good.
Wireless Logic, founded in 2000, are leaders in IoT connectivity, remote SIM provisioning - eSIM, iSIM - and IoT security, with a focus on helping businesses defend, detect and react to security threats.
It now has more than 10 million IoT subscriptions active in 165 countries and direct partnerships with 50 mobile networks, and provides reach into more than 750 networks and more than 25,000 customers worldwide.
Here, Davidson sits down with Mobile Magazine to discuss the evolving IoT threat landscape and how the risks and impacts of cyber threats can be mitigated.
What upcoming IoT security legislation is in the works? What will that mean for the wider industry?
There is certain legislation, both current and impending, that enterprises need to be aware of. This includes the UK’s Product Security and Telecommunications Infrastructure (PSTI) Act, the EU’s Cyber-Resilience Act, and the USA’s IoT Cyber-security Improvement Act (for devices used by federal government). One key piece of regulation is the PSTI (Product Security) regime, which will come into effect on 29 April 2024. This will regulate a number of consumer products such as routers, webcams and connected fridges. Impacted products must be free of default passwords, have a vulnerability disclosure policy and be transparent about update support periods.
Companies need to be aware of how it will impact their specific sector and IoT products, and ensure they comply with it. However, the challenge remains that as IoT deployments are international legislation will vary from region to region, therefore companies will have to be able to adapt to this. Understandably, businesses look to legislation to understand what they need to do but it shouldn’t take this to spur them into action – the considerable damage that a cyber-security attack can do is more than sufficient motivation.
What challenges are there when it comes to implementing these policies?
There is clearly an industry need for reliable, measurable IoT cybersecurity. Device manufacturers and IoT solutions providers will want to certify that their approach meets identified requirements. They will look to industry standards and, for future-proofing, relevant legislation.
However, the World Economic Forum’s report on the State of the Connected World acknowledges that policies relating to the security of connected devices are fragmented by region. This strikes at the heart of the IoT security challenge. IoT deployments are often international, global even. Device manufacturers and solutions providers may find they have a range of existing and pending legislation to take account of.
The governance gaps called out by WEF will undoubtedly close. However, one thing is clear, even where legislative impact is still uncertain, the direction of travel is to more, and more stringent, IoT cybersecurity policies.
Another challenge for industry is that the frequency of attacks and methods used by cyber criminals are constantly evolving, therefore defences against those attacks need to evolve as well. While it is possible to certify that a standard has been met, this alone will not provide a guarantee that attacks will not be successful. My outlook and advice to companies is that they should implement defensive measures, but also prepare and practise for a security breach. Using automation (AI) to help detect changes in device or system behaviour is also a great technique, while training people and processes on how they should react to such breaches is also essential. The damage to revenue and reputation will be directly proportional to the time it takes to detect and react to cyber-attacks which get through the defences.
What impact will this have on device manufacturers?
IoT security and compliance cannot be an afterthought. The first, and most important, thing device manufacturers can do is act now. The legislative agenda notwithstanding, it won’t be long before organisations mandate cybersecurity compliance for the devices they procure. If, that is, they aren’t doing so already. Indeed, IoT security acquisition guidance from the US’ Cybersecurity and Infrastructure Security Agency (CISA) identifies that buyers adopting a security stance ‘send a demand signal for improved cybersecurity in IoT technologies to sellers and manufacturers of IoT technology’.
Manufacturers must also ensure their devices are secure by design. Moving forwards, companies deploying solutions will need to have 360-degree security in place. If unsure, identifying a partner to support on IoT security can be prudent.
What do you think the future of IoT security looks like?
The legislative landscape may be complex, but IoT device manufacturers and solutions providers should not wait for security compliance mandates. The considerable damage a cybersecurity breach can do is more than sufficient motivation to make IoT solutions secure by design. Added to that, tendering and other procurement processes are likely to demand, if they aren’t already, that respondents meet certain cybersecurity maxims.
Please also check out our upcoming event - Cloud and 5G LIVE on October 11 and 12 2023.
BizClik is a global provider of B2B digital media platforms that cover Executive Communities for CEOs, CFOs, CMOs, Sustainability leaders, Procurement & Supply Chain leaders, Technology & AI leaders, Cyber leaders, FinTech & InsurTech leaders as well as covering industries such as Manufacturing, Mining, Energy, EV, Construction, Healthcare and Food.
BizClik – based in London, Dubai, and New York – offers services such as content creation, advertising & sponsorship solutions, webinars & events.