show image

EU Cybersecurity Act: how a little-known piece of legislation could transform the internet of things

Last month, it emerged that California had passed a bill to ban generic passwords. The legislation was lauded by information security experts, and made headlines around the world. But while it garnered global attention, legislators on the other side of the Atlantic were drawing up an even more transformative set of legislation, known as the Cybersecurity Act, which has so far flown under the radar.

Why is IoT security such an issue?

The proliferation of connected devices is one of the biggest headaches for infosec professionals. While in the past, networks comprised of a set number of devices, the emergence of the so-called “internet of things” has seen a huge rise in the size of the attack surface of any given organisation.

This is a problem that – without regulatory intervention – will only get worse. The number of connected devices globally is expected to rise from 23bn in 2018 to 75bn by 2025, and yet the security of such devices is often poorer than infosec pros would naturally expect.

In recent years, this has led to a number of high profile IoT attacks. One of the most disruptive was the mirai botnet, which exploited the poor security of connected devices to launch powerful distributed denial of service attacks on popular websites.

But the attacks aren’t always so widespread. Earlier this year, it was revealed that hackers had infiltrated a casino’s network using a thermometer in the lobby’s fish tank. They got away with the business’s high-roller database.

How does the Cybersecurity Act attempt to address the problem?

The EU’s Cyber Security Act has two main purposes. Firstly, it will give ENISA, the EU’s cyber security agency, a permanent mandate. As part of its new role, the agency will be given responsibilities for supporting member states, EU institutions and other groups in terms of cyber security, in the same way that the National Cyber Security Centre already does in the UK.

Its second function is to establish a new EU-wide certification framework for IT products, services and processes. In a press statement published over summer, the EU stated: “Certificates issued under the schemes will be valid in all EU countries, making it easier for users to gain confidence in the security of these technologies, and for companies to carry out their business across borders.”

What will the certification scheme entail?

The certification scheme will be voluntary, and feature three levels of security assurance: basic, substantial and high. “For the basic level, it will be possible for manufacturers or service providers to carry out the conformity assessment themselves,” the EU said.

There are some requirements common to all three levels of security assurance. They are: secure out of the box configuration, signed code, secure update and exploit mitigations and full stack/heap memory protections

When will the Cybersecurity Act be passed into law?

A spokesperson for the EU told NS Tech that the European Council and Parliament are now engaged in a series of discussions about the legislation and hope to finalise the text before the end of the year.

How has the industry responded?

Security pros surveyed by NS Tech have been largely receptive to the EU’s plans. Gary Hayslip, chief information security officer at Webroot, said: “As a security executive who worked in this field for over two decades, I believe it’s about time that someone acts. Industry has been slow to create any type of certification framework for IoT and the components or software that drive this new class of technologies.”

He added: “I believe many in the US will be moved to act because the of the EU coming out with this framework and legislation. It would not surprise me to see the State of California come out with something around IoT security once the EU has enacted theirs.”

How does it compare to existing legislation?

The UK has also created a new code of conduct for connected devices, possibly in anticipation of the EU Cybersecurity Act. The code outlines a series of measures manufacturers should take to protect their products. Among the thirteen recommendations, it calls for companies to adopt a disclosure vulnerability policy, to stop using default usernames and passwords and to build devices which can be issued with security updates.

A spokesperson for the Department for Digital, Culture, Media and Sport told NS Tech that the code would give businesses time to implement the measures before the government legislates in the area. It’s not yet clear when the legislation will be drafted or come into effect.