- Nov 12, 2023

Trends in cybersecurity related laws and regulations

In this article, we will provide a brief overview of the trends in cybersecurity-related laws and regulations for IoT devices, which are particularly requested by companies.

Since the 2010s, the market for IoT devices has spread, and industrial equipment has become increasingly networked and compatible with IoT. For example, FA equipment has changed from operating in a standalone closed network to being networked and compatible with IoT, and "Industry 4.0" has become the standard. In the future, it is expected that advancements based on IoT and incorporating other technologies such as robotics, AI, and 5G will accelerate.

Meanwhile, major cybersecurity laws and standards have begun to be established in each industry, resulting in the situation shown in the diagram below.

Furthermore, the U.S. government/FDA has released guidelines that summarize recommendations regarding cybersecurity measures for pre-market applications and post-market applications for medical devices. Some requirements have been made into law as the FD&C Act.

In Japan, cybersecurity guidelines and laws are being developed in accordance with overseas guidelines and standards.

In the future, it will become very important for many companies to take a bird's-eye view of laws and standards and create detailed strategies regarding basic policies, business processes and rules, tools, operational systems, supplier management, etc. .

Perspective	Key requirements	Examples of provisions in laws and regulations
Basic policy	Cyber security measures processes and systems are defined and documented	Documentation of CS-related activities (IMDRF) Development and documentation of security management system (ISA/IEC 62443)
Business processes and division of roles	Cybersecurity risk design-time assessment, countermeasure implementation, and verification (Penetration/Fuzz test, etc.) Post-market vulnerability monitoring/response process definition	Threat modeling/risk assessment implementation (many examples) Fuzz testing, configuration analysis using binary analysis (FDA)
SW development/management rules	Application of various countermeasure methods such as secure coding rules and implementation of attack countermeasure functions Providing development documents and vulnerabilities, etc. to customers, etc.	Secure Coding Practices, Adoption of Regulations (ISA/IEC 62443, NISTIR 8259)
Introduction and operation of tools	Management of SW components and vulnerabilities using SBOM	Report third party parts in SBOM (FDA) Software management with SBOM (IMDRF) Identify and document components included in the product (EU)
Operation system	Establishment of organization, responsibility, education, evaluation/audit system for cybersecurity response Testing conducted by an independent organization	Development and documentation of system, responsibilities, applicable targets, and education/evaluation system (ISA/IEC 62443) Penetration test conducted in a system independent from development (FDA, ISA/IEC 62443)
Supplier management/contract system	Requirements definition when selecting and adopting third-party parts Managing third-party parts with SBOM	Requirements formulation and documentation for third-party parts (ISA/IEC 62443) Managing third-party parts with SBOM (many examples)

■About Covalent Co., Ltd.

Covalent Co., Ltd. provides "real solutions" by combining advanced technical knowledge and deep industry knowledge. Our mission is to build true partnerships (covalent bonds) with our clients, to tackle difficult challenges together, and to provide technology and cross-border know-how and tools.

In recent years, we have started providing cybersecurity-related services, mainly for the manufacturing industry, conducting research to consider cybersecurity measures, consulting on process, rules, and system development, and introducing tools such as SBOM. . While carrying out these activities, we are also participating in demonstrations conducted by the Ministry of Economy, Trade and Industry, and are actively promoting efforts to broadly share our expertise with industry.

If you are interested, please contact us

If you are facing any issues with cybersecurity measures for IoT devices such as in-vehicle software, compliance with related regulations, SBOM compliance, etc., please feel free to contact us regarding our services.