IoT Regulation a Topic of Interest for Fed Agencies

Alan Earls headshotWhile the FCC’s sudden interest in net neutrality and its even more sudden imposition of regulations gained a lot of media attention over the last several weeks, another agency also made some moves that could become equally momentous. They came in the form of preliminary comments from the Federal Trade Commission (FTC) relating to the potential for regulating the Internet of Things. To be sure, the FTC didn’t go too far down the road:  Chairwoman Edith Ramirez merely held a press conference to discuss the release of a report on the subject. Still, regulations have to start somewhere…

The report, Internet of Things: Privacy & Security in a Connected World, focused mostly on the consumer aspects of IoT, particularly looking at the risks that accompany the rewards of fitness monitoring devices and other personal and home automation technology.  And there is certainly plenty of room for concern. The report cited an Internet-connected camera, marketed to consumers, that turned out to be unsecure (though marketed otherwise), allowed hackers to access live feeds of homes, families and children, and other personal activities.

FTC IoT Report logoHowever, the report also included topics relevant to industrial uses of IoT, such as the way poor security could facilitate attacks on other important systems by way of an IoT device. Safety and control risks could also arise where hackers have the potential to break into systems, the report said.

Meanwhile, with its years of wrestling with the related issue of securing traditional industrial controls against attack, the National Institute for Standards and Technology (NIST) now has its own working group engaged in a long-term effort to consider how best to secure the new world of IoT devices.

NIST Cyber-Physical Systems Public Working Group (CPSPWG) had its first meeting less than a year ago. According to the agency’s statements, the CPSPWG is focusing primarily on so-called “smart” technologies – such as those increasingly managing the power grid. As with similar technologies applied in an industrial setting, these systems promise increased efficiency and richer interaction between computer networks and the physical world.  According to NIST, the key stakeholders in CPSPWG have identified the need to develop a consensus definition, reference architecture, and a common lexicon and taxonomy relative to the technologies. They also aim to ensure that dependability  and security are considerations in its development and deployment.

Following the growing buzz, a Senate committee on commerce, science and transportation held hearings on IoT regulation in February. Although the consensus of testimony, according to published reports, tended toward the “less is more” school of thought, there was also a clear impetus to make sure certain baseline considerations around privacy and security are part of the future.

Finally, it’s worth noting that government itself isn’t the only voice looking for regulations. Chris Murphy, editor of Information Week, in a recent article about GE’s predictions around the robust future growth of the industrial internet, touched on concerns for the public about rapid increases in automation. (He also noted that enhanced big data analytics will need to grow in lockstep with the industrial internet.)