Exploring the Varied Facets of the Internet of Things: From Its Benefits to Its Flaws and Everything In Between
In an increasingly connected world, the Internet of Things (IoT) is revolutionising various sectors, from healthcare to manufacturing. However, this disruptive technology also presents new challenges, particularly in the realm of security.
Recent attacks on high-profile organisations, such as the 2012 assault on Saudi Aramco's computer systems and the National Iranian Oil Company's Kharg Island oil terminal, have been compared to the fictional scenario of Die Hard 4.0 in the real world. More recently, hackers are alleged to have attacked an unnamed steel mill in Germany, causing considerable damage by manipulating and disrupting its control systems.
These incidents highlight the vulnerability of smart industrial systems, including those in manufacturing, to cyber-attacks. If personal information, generated in this connected world, falls into the wrong hands, it could be a gold mine.
In response to these concerns, the Article 29 Working Party, an independent European advisory body on data protection and privacy, issued an Opinion last September reviewing the Internet of Things (IoT) and assessing the state of applicable law in Europe.
Their recommendations for IoT device manufacturers in Europe emphasise building security into the product lifecycle. This includes addressing vulnerabilities with timely updates and ensuring secure default configurations, such as no default passwords. Manufacturers are also advised to prepare for third-party conformity assessments, especially for critical products, to comply with the Cyber Resilience Act (CRA), which has been in force since January 2025. Compliance enables manufacturers to use the CE marking for cybersecurity, signalling adherence to EU security requirements and avoiding significant fines for non-compliance.
Key points include designing, developing, and maintaining devices to meet security standards throughout their lifecycle, implementing timely security updates to address vulnerabilities, ensuring secure default configurations to reduce attack surfaces, undergoing third-party conformity assessments when required, particularly for products deemed critical, and preparing for regulatory compliance ahead of the full applicability date in December 2027.
The CRA's intent is to shift responsibility onto manufacturers to embed security by design to prevent insecure IoT products flooding the market. The Article 29 Working Party’s guidance aligns with these obligations as part of EU data protection and cybersecurity best practices.
While the search results do not quote the Article 29 Working Party explicitly, the CRA provisions reflect its long-standing stance on data protection and security in connected devices, reinforcing manufacturers’ duties in securing IoT devices against vulnerabilities and ensuring privacy compliance.
The need for security in the IoT is further underscored by incidents like the attacks on retailers such as Target and Anthem health insurance, which impacted nearly 80 million people. As our world becomes more connected, it is crucial that manufacturers prioritise security by design and default, adhere to conformity assessments, and comply with the CRA requirements to market IoT devices within Europe securely and lawfully.
[1] For more information, please refer to the Article 29 Working Party's Opinion on the Internet of Things and the Cyber Resilience Act.
- In the realm of manufacturing, where the Internet of Things (IoT) is significantly transforming processes, it is essential for device manufacturers to prioritize security by design, as recommended by the Article 29 Working Party.
- To ensure security in the IoT, manufacturers in Europe are advised to address vulnerabilities with timely updates, implement secure default configurations, and prepare for third-party conformity assessments, particularly for critical products.
- Compliance with the Cyber Resilience Act (CRA) and EU security requirements not only helps manufacturers avoid significant fines but also signals adherence to best practices in data protection and cybersecurity.
