OPIT - Open Institute of Technology’s Post

Let’s have a discussion. I’m looking forward to reading your opinions. As I mentioned on Monday, the European Union recently adopted the Cyber Resilience Act. The Act applies to both consumer and industrial IoT devices. It’s a way to streamline cybersecurity requirements across different EU countries. The only types of products and devices that are exempt from the new Act are the classifications of devices that are already governed by EU-wide legislation in this manner, such as automobiles, medical devices, and aeronautical products. Industrial enterprises in EU will have to be compliant with some parts of the Act very soon, and other parts of the Act won’t require compliance until three years from now. Here are my questions for everyone here. 1. Should the Act have applied to automobiles, medical devices, and aeronautical products as well, and overridden previously existing EU legislation? 2. Is it okay for legislation like the Cyber Resilience Act to pertain to both consumer and industrial IoT? Or should regulations for consumer IoT, such as kitchen appliances and children’s toys, always be separate from regulations for industrial IoT, such as network connected ICS? #NoMoreSafetyWithoutCybersecurity Giuseppe Biffi Lucia Bruno @Andrés Cartagena Ruiz Guido Colombo Daniele De Marchi Andrea Gozzi Eleonora Magni Federico Milan Martina Moietta Nicolò Nobili Andrea Olivetti Francesca Pavan Marco Taisch Breton @HON ITCORE MFL GROUP Miraitek Retuner Siemens @Digital Industries World (global profile https://lnkd.in/dUBXbEqA)

The Cyber Resilience Act is a significant step forward in harmonizing cybersecurity requirements across the EU, but it also opens up important questions about scope and application. 1️⃣ On whether it should apply to automobiles, medical devices, and aeronautical products: Existing EU legislation governing these sectors is already highly specialized and tailored to their unique risks. Overriding such frameworks could risk redundancy or conflicting requirements. That said, ensuring interoperability and consistency between sector-specific regulations and the Cyber Resilience Act will be critical. 2️⃣ Regarding the inclusion of both consumer and industrial IoT: While the goal of unifying cybersecurity standards is commendable, the vastly different risk profiles and threat landscapes between consumer and industrial IoT might warrant distinct approaches. For instance, a compromised connected toy poses a different level of societal and economic risk than a breached ICS in a critical infrastructure setting. A layered framework that acknowledges these differences while maintaining baseline requirements could strike a balance. Looking forward to hearing others' thoughts! 😊 #cybersec #itot #iiot #hack #security #cybersecurity #safety #cybersafety #nis2 #cyber #act #eu #industry40 #NoMoreSafetyWithoutCybersecurity

71% of European OEMs feel that privacy and security laws limit their ability to maximize the use of the connected products they offer, up 24 percentage points from 57% in 2020. https://lnkd.in/dCZWnKTK According to our IoT Commercialization & Business Model Adoption Report 2024, European OEMs were the only ones out of Europe, North America, and the Asia-Pacific region to rise in this sentiment. Two examples of recent European privacy and security that likely influence this sentiment: 1️⃣ EU Data Act – Adopted in late 2023 and effective starting by early 2026, this act requires manufacturers to address clarity in data rights, ensuring users have control over the data generated from connected products. 2️⃣ UK Product Security and Telecommunications Infrastructure (PSTI) Act – In effect since April 29, 2024, this regime places the responsibility for the security of connected products squarely on the OEMs, meaning they must be proactive in ensuring their products meet security standards. 📄 Read more about how privacy and security laws affect OEMs’ connected products, as well as other insights for creating a successful IoT business model, here: https://lnkd.in/dCZWnKTK 🔍Access the full report for more about these laws and other insightful patterns of success and possible pitfalls when introducing connected IoT products to the market here: https://lnkd.in/dy9EbhEf #OEM #businessstrategy #iot #security #privacy

🚨 Privacy and Security Concerns on the Rise for European OEMs 🚨 71% of European OEMs feel that privacy and security laws limit their ability to maximize the use of their connected products. That's a significant increase from 57% in 2020! Read more about it in our IoT Commercialization & Business Model Adoption Report 2024. 🔍 Access the full report for more insights into these laws and other patterns of success and potential pitfalls when introducing connected IoT products to the market: https://lnkd.in/dCZWnKTK P.S. Your thoughts? Comment below! ♻️ If you found this insightful, consider resharing for your network. Thank you! #OEM #businessstrategy #iot #security #privacy

🚨 𝗩𝘂𝗹𝗻𝗲𝗿𝗮𝗯𝗶𝗹𝗶𝘁𝗶𝗲𝘀 𝗶𝗻 𝗢𝘃𝗿𝗖 𝗣𝗹𝗮𝘁𝗳𝗼𝗿𝗺 𝗘𝘅𝗽𝗼𝘀𝗲 𝗜𝗼𝗧 𝗗𝗲𝘃𝗶𝗰𝗲𝘀 𝘁𝗼 𝗥𝗲𝗺𝗼𝘁𝗲 𝗔𝘁𝘁𝗮𝗰𝗸𝘀 🚨 A recent security analysis of Snap One’s OvrC cloud platform uncovered 10 serious vulnerabilities, putting IoT devices—like smart power supplies, cameras, routers, and home automation systems—at risk. Exploiting these flaws can allow attackers to remotely access, control, and disrupt connected devices. 𝗞𝗲𝘆 𝗳𝗶𝗻𝗱𝗶𝗻𝗴𝘀: • Impacted Devices: OvrC Pro and OvrC Connect.  𝗠𝗮𝗷𝗼𝗿 𝗖𝗩𝗘𝘀: • CVE-2023-28649 (CVSS 9.2) - Device hijacking through hub impersonation. • CVE-2023-31241 (CVSS 9.2) - Claiming unregistered devices without a serial number. • CVE-2023-28386 (CVSS 9.2) - Code execution via firmware update uploads. • CVE-2024-50381 (CVSS 9.1) - Hub impersonation to unclaim devices. With IoT management increasingly cloud-based, securing device-to-cloud connections is critical. Snap One has issued patches, so ensure systems are updated to stay protected. #𝗖𝘆𝗯𝗲𝗿𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 #𝗜𝗼𝗧𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 #𝗖𝗹𝗼𝘂𝗱𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 #𝗩𝘂𝗹𝗻𝗲𝗿𝗮𝗯𝗶𝗹𝗶𝘁𝘆

Next-gen SIMs address security threats & #regulatory intervention With the rapid growth of connected devices and increasing cyberattacks and security breaches, #IoT #security has become a critical issue. Regulators are taking action to set security standards for IoT solutions, with the Federal Office for Information Security (BSI) in Germany leading the way. Federal Office for Information Security (BSI) has imposed strict security requirements on utility companies deploying IoT solutions, including the need for preapproved embedded security elements (eSEs) to be incorporated in #smartmeters for #device #authentication and #encryption. Regulators in the EU, US, and Singapore are also defining regulated security requirements for IoT deployments. Next-gen SIM products help address these security challenges. On the product side, eSIMs are sometimes sold in combination with an eSE, saving space and cost. On the service side, standards body GSMA developed a #standard called IoT SIM Applet for Secure End-2-End Communication (IoT SAFE for short). The standard allows the SIM to be used as root of trust, instead of a dedicated eSE, to generate keys and certificates that can be used to #encrypt end-to-end communication over the IoT network. Check out comment box for this month #Security #Presentation ! Follow us on Kaneshwaran Govindasamy and Global 5G Evolution Click comment box. #Subscribe our #Youtube.

IoT devices that are not properly developed or secured can result in the conditions: a. Service disruption: Manipulating an IoT device or devices to make an essential service (e.g., a power generating dam, the water system, a database) completely unavailable. b. Data theft: Gaining improper access to personally identifiable information (PII), such as names, user accounts, social security, national health ID numbers, telephone numbers and residence addresses. Increasingly, organizations and individuals alike are concerned about the use – and misuse – of personal information. c. Data or service manipulation: Where the attacker can make arbitrary changes to the settings of a device, which can cause loss of life, loss of service, damage to the device itself or damage to other devices.

Architectural drawings, engineering plans, proprietary designs and occupant and IoT device data are all sensitive information in any construction project. You must systematically protect them from theft, unauthorized access or disclosure to competitors. ISO/IEC 27001 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) for assessing and treating these security risks. Learn more: https://bit.ly/3TbVGhD. #ISO27001 #IEC27001 #InformationSecurity #Construction #BuiltEnvironment

Architectural drawings, engineering plans, proprietary designs and occupant and IoT device data are all sensitive information in any construction project. You must systematically protect them from theft, unauthorized access or disclosure to competitors. ISO/IEC 27001 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) for assessing and treating these security risks. Learn more: https://bit.ly/3TbVGhD. #ISO27001 #IEC27001 #InformationSecurity #Construction #BuiltEnvironment

Controlling #lateralmovement is the cornerstone of #ZeroTrust (3/3 - #usecases) #TrustEverybodyButCutTheCards **** #EastWest #Firewall Replacement with zero trust #segmentation • Automatically provision every device into a segment of one (/32) • Auto group devices, users and apps by analyzing the traffic patterns. This prevents #roguedevices using #MACspoofing to get on to the network. • Dynamically enforce policies for east-west traffic based on #identity and #context of users and devices **** IT/OT Segmentation • Autonomously group and enforce policy for known #MACaddresses on any device; eg. #RDP access to cameras denied except for Admins • Automatically isolate unknown MAC addresses to limit #blastradius in case of a compromised device • Integrate with #assegmanagement systems for secure access control policies **** IT/OT Automatic Device #Discovery & #Classification • Discover, classify and #inventory IoT/OT devices without the need for endpoint agents • Get a #baseline of #trafficpatterns and device #behaviors in order to determine authorized and unauthorized access • Gain #AIdriven network insights for #performancemanagement and #threatdetection Source: https://lnkd.in/dsTFKsHx #TrustEverybodyButCutTheCards