Insights

Navigating IoT Regulations and Global Compliance with Transforma Insights, BH IoT Group and Somos

Oct 25, 2024

The 2024 Somos Summit in Las Vegas united industry leaders, innovators and visionaries to explore the future of telecommunications, fraud prevention and trusted communications. In addition to these key discussions, the event also delved into the exploration of regulatory challenges and advancements in the IoT space – extending the conversation to the broader communications and connected ecosystems.

During the Power Session titled "Navigating IoT Regulations: Going Further Together in the Connected Devices Space," moderator Michael Smyth, Senior Product Manager at Somos, led an engaging discussion with panelists Steve Brumer CEO of BH IoT Group, Jim Morrish, Founding Partner at Transforma Insights, and Marc Plante, Director of Business Development Operations at Somos. Together, they explored the growing importance of IoT security and the increasing regulatory efforts to safeguard the billions of connected devices that now surround us.

Michael Smyth began the session by laying the groundwork for those less familiar with the IoT space, explaining that IoT refers to the network of devices and sensors that connect to the internet without human intervention. From asset trackers to medical devices, IoT has become a crucial part of global infrastructure, with over 4 billion IoT connections on cellular networks alone. "These devices outnumber us," Michael noted, emphasizing that they’re also becoming prime targets for cyberattacks, especially as their presence expands in critical sectors like finance and healthcare.

Marc Plante highlighted how the threat landscape has evolved, with bad actors getting creative in exploiting seemingly simple devices. He used the analogy of a child causing significant damage with something small, comparing that to a malicious actor using IoT devices like light switches or doorbells to wreak havoc. Marc pointed to real-world examples, such as the colonial pipeline shutdown in 2021, which froze gas supplies to the U.S. South for a week, underscoring how vulnerable critical infrastructure can be to IoT attacks.

Steve Brumer reflected on the early days of IoT — back when it was known as "machine-to-machine" communication — and how little attention was given to security back then. "We had no idea what security was; we just prayed the data got from one end to the other," Steve joked. Fast forward to today, and the situation has dramatically changed. Now, companies often use multiple layers of security to protect IoT devices, but challenges remain. He emphasized that SomosID™, a tool developed to track IoT devices through their entire lifecycle, represents a game-changing solution for both legal compliance and security.

Jim Morrish took a more legislative approach, explaining that most emerging IoT regulations focus on security, particularly in relation to software supply chains. He cited the example of an executive order in the U.S. requiring Software Bills of Materials (SBOMs) to accompany purchases, ensuring transparency in the components that make up IoT devices. Jim also mentioned Europe’s Cyber Resilience Act (CRA), which mandates that IoT devices must receive security updates for at least five years, penalizing companies that fail to comply.

Marc Plante reinforced this by discussing how firmware, the basic operating system on many IoT devices, is often rife with vulnerabilities. According to Marc, 75% of the software components in IoT devices are infected with security flaws, making regulatory intervention both necessary and inevitable. He argued that this vulnerability in IoT devices is precisely why new laws are being introduced around the world to ensure their security.

Jim further explained that as IoT markets become global, vendors will need to ensure their products comply with security regulations across different countries. He described it as a way of "future-proofing" their business. The Cyber Resilience Act in the EU, for example, will likely set a baseline for IoT regulations worldwide. Jim suggested that the principles of security, consent and data rights established in the EU will influence regulations in other regions, making global compliance a necessity for IoT vendors.

Steve concluded the discussion by emphasizing that businesses will be motivated by both fear and necessity to adopt stronger security measures. He said, "People buy security due to fear. If you’re not protecting your products, you have a problem." He reiterated that tools like SomosID™, which offer end-to-end device tracking, will be essential in ensuring compliance and security in the expanding IoT space.

The session provided a sobering yet optimistic look at the future of IoT regulation. As billions of connected devices become integral to everyday life, the security risks they pose cannot be ignored. Panelists agreed that while IoT regulations are becoming more stringent worldwide, they are also necessary to ensure a safer and more resilient digital future. Companies that adopt these security measures proactively will not only avoid penalties but also build trust in the increasingly connected world.

To learn more about the 2024 Somos Summit and to gain access to on-demand recordings, visit www.somos.com/summit.