IoT rules are being written. Are manufacturers ready?
IoT rules are being written. Are manufacturers ready?

IoT rules are being written. Are manufacturers ready?

How can manufacturers reinvent product security for the evolving and expanding IoT ecosystem?

Smart cars. Smart watches. Smart speakers. Smart appliances. For consumers, internet-connected devices are fast becoming an integral part of daily life. IHS Market predicts that the Internet of Things (IoT) will include more than 80 billion consumer devices by 2030.1

As the IoT grows, lawmakers around the world are leading the charge to regulate it. At the state, federal and global level, myriad IoT rules are coming down the regulatory pipeline. A handful are even already signed into law.

These passed and proposed rules share a common focus: consumer protection. Recognizing that under-secured devices can compromise consumer health and safety, lawmakers are seeking to hold manufacturers accountable by requiring IoT products to meet certain security and privacy standards. Manufacturers are on notice: safeguard consumers on the IoT or suffer the financial consequences of noncompliance.

This wave of new IoT regulations is prompting manufacturers to consider ways to enhance their device security programs, even as other, even more powerful, incentives also drive transformation. After all, making safe and secure consumer products is what will enable tomorrow’s manufacturers to build customer trust, gain competitive edge and grow market share.

So how can manufacturers reinvent product security for the evolving and expanding IoT ecosystem?

KPMG researchers examined the current global regulatory landscape to identify 8 focal areas of IoT rules. These focal areas help define the basic blocks of future IoT product security programs that not only meet regulatory requirements, but also protect consumers, earn trust and enhance the long-term value of IoT products.

  • Governance: Governance is the engine that drives compliant connected device security. Manufacturers must have effective governance in place to shape the direction of the program, promote standardization and consistency, and monitor regulatory risks on an ongoing basis.
  • Risk assessment: Manufacturers must understand the risks connected devices present to their own operations and assets as well as their key stakeholders, including consumers. It is the first step toward designing secure products, helping manufacturers understand where to focus security efforts.
  • Supply chain management: Manufacturers are accountable for the security posture of third parties involved in their operations. Unique to the IoT device lifecycle, this includes oversight of software vendors that continue to interact with devices after they are delivered into consumer hands.
  • Secure development lifecycle: Manufacturers are expected to incorporate secure development lifecycle (SDL) techniques into the design and production of connected devices, ensuring IoT products are designed end-to-end with security in mind.
  • Configuration management: Manufacturers are responsible for ensuring secure default configuration are preset into IoT devices and for controlling who can make changes to configurations and what kind of changes can be made.
  • Identify management, authentication and access control: Manufacturers are expected to embrace software security best practices to ensure use of connected devices is limited to authorized people, processes and devices.
  • Data management and privacy: Manufacturers are responsible for implementing reasonable methods to protect data that is generated, stored and transmitted to connected devices. They are also expected to ensure the availability, confidentiality and integrity of data needed to deliver post-market IoT services.
  • Vulnerability monitoring, management, patching and response: Manufacturers are expected to actively and continually monitor, identify and fix security problems in IoT devices, including those in production and in operation.

As new IoT security rules take effect, manufacturers have the opportunity to reinvent product security for the future. Our analysis shows that best-in-class IoT product security programs will embed consumer protection into every element of the product lifecycle. They will be designed to go beyond basic compliance, enabling manufacturers to earn and preserve customer trust by consistently building secure connected products.

Read our full report, After the rainfall of IoT regulations, for more insights on how manufacturers can prepare their organizations for new rules designed to safeguard consumers on the IoT. Click here to learn how KPMG helps clients develop, deliver and support secure and compliant IoT products.