Traditionally, regulatory pressures can drive market evolution and spark innovation, or do the opposite, switching off entire segments of industry overnight. What’s the situation with IIoT regulation today, and what might it be in the future?
The regulatory profile of the Industrial Internet of Things (IIoT) market is potentially highly complex. It not only attracts interest as a technology in its own right, but it also touches on a slew of related regulatory areas. For example, the use of radio spectrum in healthcare or aerospace environments is tightly controlled and regulated for obvious safety reasons. Therefore, individual IIoT applications in industry verticals will be regulated, while the overarching technology stack is also becoming a target as it matures.
Growing regulatory pressures
The US recently announced moves to regulate the IoT space with the Internet of Things (IoT) Cybersecurity Improvement Act of 2019. The Act – which is still making its way through the US political process – includes a requirement for the National Institute of Standards and Technology (NIST) to issue recommendations for secure development, identity management, patching, and configuration management for IoT devices. In addition, a section of the Act also requires NIST to work with cybersecurity researchers and industry experts to publish guidance on coordinated vulnerability disclosure to ensure that vulnerabilities related to agency devices are addressed.
Managing vulnerabilities
The ability to securely manage IIoT devices via unique identities and manage vulnerability disclosure and patching has been a central concern in IIoT rollouts for some time. Vulnerability management in IIoT presents a particularly interesting challenge, given the potentially limited bandwidth for over-the-air updates, limited memory space on the devices themselves, and the complications that could result from a failed update (physical access, rollback, etc).
While complex, there is increasing pressure to come up with solutions, especially after a string of high-profile incidents involving ‘botnets’ built from compromised IoT devices, such as Mirai and QBot, and more recently Torii. Mirai seized headlines globally in 2016 when it was used to DDoS Dyn, a US-based dynamic host service which was temporarily blasted off the internet by Mirai in the biggest such attack ever documented at the time, causing a widespread internet outage in the US and Europe.
While the US Act is the first widespread IoT regulation, California’s SB-327 has broken new ground in IoT security, forcing IoT devices sold in California to stop shipping devices with default passwords from January 2020. The law requires that all manufacturers of devices that connect to the internet have a unique preprogrammed password on those devices. Whether this will prove effective has yet to be seen.
Europe echoes security concerns
Across the pond, the European Telecommunications Standards Institute (ETSI) has developed similar rules, publishing the snappily-monikered ETSI TS 103 645 V1.1.1, part of which deals with cybersecurity in IoT.
As in the US law, the ETSI standard specifies “no universal default passwords”, as well as a shortlist of best practice provisions to manage vulnerability reports; securely store security-sensitive data; communicate securely; minimize attack surfaces; ensure software integrity; protect personal data; be resilient to outages; make use of telemetry data; allow users to delete personal data; make installation and maintenance easy; and validate input data.
However, critics have been quick to point out that the ‘best practice’ guidelines are exactly that, and without robust enforcement, the pressures of time to market will continue to trump security concerns.
Regulatory pressure as a market driver
On the positive side, regulatory pressures are behind many lucrative vertical markets for IIoT. For example, the European Industrial Valves and Actuators Market (set to accelerate from $5.8 billion to $7.05 billion by 2024) is set to be highly reliant on IIoT adoption, according to analyst firm Frost & Sullivan. This adoption is set to be enhanced by regulations laid down by bodies like the European Environment Agency (EEA) aimed at reducing pollution due to emission of toxic gases in the oil and gas industry.
Another driver has been US Food and Drug Administration (FDA) regulations around food transport temperatures under the Food Safety Modernization Act (FSMA). This mandates that shippers and carriers of foodstuffs in the US must maintain specific temperatures, record them at set intervals, and submit the results to the receiver of the goods to confirm compliance. The result is a vast network of temperature sensors embedded in fleet vehicles, storage and preparation areas, feeding data back to reporting functions in hundreds of businesses.
Future challenges remain
While some of the most vocal regulatory proposals are targeting the security of consumer IoT products, the fact is that IIoT products will come up against many of the same challenges, as well as potentially representing considerable risk to the wider company network. Regulation of IIoT and IoT deployments is undoubtedly accelerating, but it’s also clear that regulation in other industries offers potential for significant adoption boosts. As is often the case in IIoT, the future is set to be challenging, as well as positive!
By Martin Keenan who is the Technical Director at Avnet Abacus, which assists and informs design engineers in the latest technological advances. With the IoT and Industry 4.0 changing manufacturing, Avnet Abacus helps designers find the best technological fit for their industrial applications and accelerates the process all the way from idea to market.
More about Irish Tech News and Business Showcase here
FYI the ROI for you is => Irish Tech News now gets over 1.5 million monthly views, and up to 900k monthly unique visitors, from over 160 countries. We have over 860,000 relevant followers on Twitter on our various accounts & were recently described as Ireland’s leading online tech news site and Ireland’s answer to TechCrunch, so we can offer you a good audience!
Since introducing desktop notifications a short time ago, which notify readers directly in their browser of new articles being published, over 30,000 people have now signed up to receive them ensuring they are instantly kept up to date on all our latest content. Desktop notifications offer a unique method of serving content directly to verified readers and bypass the issue of content getting lost in people’s crowded news feeds.
Drop us a line if you want to be featured, guest post, suggest a possible interview, or just let us know what you would like to see more of in our future articles. We’re always open to new and interesting suggestions for informative and different articles. Contact us, by email, twitter or whatever social media works for you and hopefully we can share your story too and reach our global audience.
Irish Tech News
If you would like to have your company featured in the Irish Tech News Business Showcase, get in contact with us at [email protected] or on Twitter: @SimonCocking
More about Irish Tech News
Irish Tech News are Ireland’s No. 1 Online Tech Publication and often Ireland’s No.1 Tech Podcast too.
You can find hundreds of fantastic previous episodes and subscribe using whatever platform you like via our Anchor.fm page here: https://anchor.fm/irish-tech-news
If you’d like to be featured in an upcoming Podcast email us at [email protected] now to discuss.
Irish Tech News have a range of services available to help promote your business. Why not drop us a line at [email protected] now to find out more about how we can help you reach our audience.
You can also find and follow us on Twitter, LinkedIn, Facebook, Instagram, TikTok and Snapchat.