This article gives an overview of international and domestic efforts to protect our connected world. These efforts will be ongoing in perpetuity as the world becomes more complex, riskier, and increasingly exposed to many varieties of threats.
Across the Pond
The European Union (and the UK) are actively addressing the security of wireless devices, as outlined under the Radio Equipment Directive (RED). The Directive, one of many that affect electronic devices, has a specific provision that is going to be enacted in the near very near future. Manufacturers and test labs (and Notified Bodies) need to be prepared to manage an important clause in the RED.
The need is obvious: in our connected world, more Internet of Things (IoT) devices are being hooked up to networks, other devices and critical infrastructure. They are increasingly vulnerable to attacks from many corners of the internet. For instance, in our work, nearly every device has a wireless feature implementing all manner of IEEE 802.11 standards for WiFi, Bluetooth, as well as other applications for radar, sensing and other uses of the electromagnetic spectrum.
The May 10, 2021 hacking of the Colonial Pipeline by bad actors, especially during these turbulent and fraught times, made the US Federal Government to issue an emergency declaration. This, coupled with work done by others in the industry point to the fragile nature of our infrastructure where penetration into networks is nothing new.
Many other alarming examples exist across the world and across cyber-verse. In April of 2021 The New Yorker1 published an amazing exposé of North Korea’s state-sponsored hacking and blackmailing operations that squeeze billions of dollars from banks, corporations and other institutions—representing a significant contribution to the country’s coffers. In an ongoing effort, the North Korean government recruits talented programmers and then gives them intense training runs targeted campaigns of extortion, often under severe duress to the programmers that include threats to families and close ones if the programmers don’t deliver.
So there is much discussion in many industries of the ways to secure the networks. In the US, the National Institute of Standards and Technology (NIST) has developed a Cybersecurity Framework that provides guidance to organizations (both at the Federal and Private Industry level) with “standards, guidelines and best practices to manage cybersecurity risk.2 These are not mandated, at the present, with some exceptions for Federal Government purchasing guidelines, witness the prohibition of acquisition of products from certain companies that have been implicated in IP theft or other breaches of trust.
Add Wireless to the mix, and the cracks in the wall of security get wider.
At the present, the European Union is implementing security measures for wireless devices. There have been provisions in the RED for security
The full legalese of the Article that addresses security is embedded here: RE Directive. Without repeating the full text of the Article, the key elements that industry is (already) considering are under the following Articles:
- Health and safety
Article 3.2 Radio spectrum efficiency
Article 3. Radio equipment within certain categories or classes shall be so constructed that it complies with the following essential requirements:
(a)-(c): Inter-compatibility/functionality provisions
Until now, most of the work on radio devices looked at the above provisions as it relates to device compliance to the above Articles 3.1 and 3.2(a)-(c).
It’s starting to get a little interesting with the following provisions under Article 3.3(d)(e) and (f), here:
Article 3.3 (d): radio equipment does not harm the network or its functioning nor misuse network resources, thereby causing an unacceptable degradation of service;
Article 3.3 (e): radio equipment incorporates safeguards to ensure that the personal data and privacy of the user and of the subscriber are protected;
Article 3.3 (f): radio equipment supports certain features ensuring protection from fraud;
The above clauses are commonly-viewed as the “cybersecurity clauses” and there is further guidance from the EU forthcoming.
As yet, there are no harmonized standards that have been published to guide evaluations of devices. This leaves the interpretation of these requirements with the Notified Bodies (and others).
However, on 12 January 2022, the EU Com published the Delegated Regulation implementing EU RED Art 3.3 d), e), f) covering Cyber Security.
The legal date is comes into effect is 1 August 2023 with compliance by manufacturers by 1 August 2023 with the pre-amble to the document stating:
- Protection of the network or its functioning from harm, protection of personal data and privacy of the user and of the subscriber and protection from fraud are elements that support protection against cybersecurity risks.
The regulation specifies that harmonized ENs should be published by 12 June 2023. Full implementation is specified to be before the end of 2024, with some phase-out periods of products already in the pipeline.
Not to exclude other important clauses, they must be mentioned. Notably there is much discussion about Article 3.3(g) that covers access to emergency services (911 in the US, 112 in Europe) and Article 3.3(i) which protects users with disabilities. Finally, Article 3.3(j) which mandates controls on software loaded onto devices that may otherwise compromise the compliance (this Article could be construed as to having cyber-implications as devices are increasingly connected to the Cloud for performance and functional updates and could be compromised in some way).
It must be noted that, like all the European Directives, there are broad performance requirements in these Articles and clauses. It is up to the standards bodies to develop criteria and procedures for these assessments and at the present time, the standards and protocols for assessment of “Cyber-resilience” are largely lacking. This should change soon as schemes get rolled out by the accreditation bodies, specifiers (such as customers and governments) and others in the industry.
The bad guys are busy. The compliance community has a large role in evaluation and helping manufacturers select effective and reasonable protections.