Guest opinion: Consumers have no control over connected device security; government, regulatory bodies must step in

On Jan. 1, 2020, California’s first IoT security law went into effect, despite controversy about it being more vague than helpful. While it brings up critical issues related to device security, tech companies and manufacturers are struggling with compliance. Edge Industry Review has already provided our view on the law, as well as included a guest post by Adrian Sanabria, advocate for Thinkst Applied Research, an applied information security research firm.

We asked Dan Sahar, Entrepreneur and VP Product at Upstream Security about his thoughts on the law and its implementation. Among the questions we asked:

• What is the law missing?
• How will this law affect manufacturers (in terms of restrictions and what they will be able to deliver vs consumer expectations)?
• Do you think some industries will be more affected than others?
• How would you define a connected device?
• How would you explain/define “reasonable security”?

Sahar’s responses follow:

For the automotive industry, cybersecurity is a topic that bears the responsibility of the OEM (vehicle manufacturers) and fleets alike. On their part, consumers have little ability to influence the security posture of the connected cars they procure.

As such, governments and regulatory bodies can promote and mandate cybersecurity measures to be taken by car manufacturers that are selling connected vehicles. This can be done in the form of regulation – in a similar way that regulation such as PCI-DSS (Payment Card Industry Data Security Standard) promoted privacy and security measures for online security. On the automotive side, there is also the safety aspect and, as such, bodies such as NHTSA and their equivalents in the E.U. and Asia should also be involved.

On the other hand, the law also has a broad definition of “connected device,” which is defined as “any device, or other physical object that is capable of connecting to the internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.” S.B. 327 (to be codified at Cal. Civ. Code § 1798.91.05(b)). As such, the law is not limited to mere consumer devices, but potentially includes, to the extent a device is not subject to other federal law or regulations, industrial IoT devices, retail point-of-sale devices and health-related devices that connect to the internet and that receive an IP address or Bluetooth address.

In the automotive industry, we defined connected vehicles as vehicles that have either embedded or after-market connectivity to the internet (e.g., via OBD-II dongle devices). Reasonable security for automotive entails the encryption of all data at rest or in motion (e.g., communication), but also the establishment of real-time monitoring, detection and response operation that encompasses the entire connected vehicle architecture – spanning both the vehicles as well as cloud infrastructure and applications.

In April 2018, the California Vehicle Code (CVC) Section 38750 came into effect, which “requires the DMV to adopt regulations governing both the testing and public use of autonomous vehicles on California roadways,” thus meeting industry cybersecurity standards. The World Forum for Harmonization of Vehicle Regulations under the United Nations Economic Commission for Europe (UNECE) is expected this year to complete regulations that make cybersecurity a requirement for all vehicle sales.

Article Topics

automotive  |  industry regulation  |  IoT  |  regulations  |  security  |  Upstream Security