THE Internet of Things (IoT) (a network of physical objects embedded with sensors, software and other technologies that connect and exchange data with other devices over the Internet) is transforming sectors across India, from agriculture to healthcare.
With this progress come heightened cybersecurity risks. India's current legal framework is inadequate for addressing IoT vulnerabilities. The lack of mandatory security standards leaves critical infrastructure exposed to cyberattacks.
This article outlines the growing threat posed by IoT security breaches and explores advanced solutions such as artificial intelligence (AI), blockchain and zero trust architecture ZTA to strengthen IoT security.
Key policy recommendations include implementing mandatory IoT security certifications and sector-specific regulations, and fostering public–private collaboration to secure the digital ecosystem.
With proactive policies, India can harness IoT's potential while safeguarding against cyber threats, ensuring a resilient digital future.
The lack of mandatory security standards leaves critical infrastructure exposed to cyberattacks.
Introduction to IoT and Its Expanding Landscape
The IoT is reshaping India’s digital landscape in remarkable ways. From revolutionising agriculture with smart sensors to transforming healthcare with connected medical devices, the IoT is at the heart of our digital future.
Yet, as we embrace these technological marvels, we must also confront a stark reality: each connected device is a potential target for cybercriminals.
Imagine a scenario where a hacker remotely takes control of a smart grid or tampers with a medical device. The consequences could be devastating, affecting not just individual users but entire sectors. It is clear that while IoT offers immense benefits, it also poses significant security risks.
To navigate this dual-edged sword, India needs a robust legal framework, targeted policies and cutting-edge technologies that work together to safeguard our digital ecosystem.
Legal gaps: Where India’s framework falls short
India’s legal framework for cybersecurity is like a well-intentioned but outdated map— it is helpful, but it does not guide us through the complex terrain of the IoT. The Information Technology Act, 2000 was crafted for a different era, focusing on issues that were relevant when the internet was still in its infancy. Today’s IoT landscape— comprising smart devices and interconnected systems— requires a new set of rules.
For instance, the Digital Personal Data Protection Act, 2023 protects personal data but does not address the technical weaknesses in IoT devices themselves. These devices collect and transmit sensitive information, and their security needs to be as stringent as the privacy protections we enforce. A single security lapse in an IoT device can have cascading effects, jeopardising entire networks.
Imagine a scenario where a hacker remotely takes control of a smart grid or tampers with a medical device.
Similarly, the National Cyber Security Policy, 2013 laid out ambitious goals but has not kept pace with the rapid evolution of the IoT. The absence of mandatory security standards for IoT devices means manufacturers often prioritise functionality over security, leaving critical infrastructure vulnerable.
Indian courts have yet to fully tackle the challenges of IoT cybersecurity. While the Puttaswamy case established privacy as a fundamental right, we need the judiciary to extend these principles to IoT devices. Protecting personal data in this context means ensuring that devices meet rigorous security standards.
Demonstrating the growing threat: Data and evidence
The evidence of IoT vulnerabilities is mounting— and it is alarming. A NASSCOM-Deloitte report projects that India will have around 2 billion IoT devices by 2025. This explosive growth, while exciting, brings with it significant security concerns.
Globally, IoT devices have become prime targets for cyberattacks. In 2020, incidents involving IoT devices surged by over 100 percent. In India, a 2021 attack on hospital IoT systems exposed sensitive patient data, revealing glaring security gaps.
Similarly, a 2018 attack on Pune’s smart city infrastructure disrupted essential services, underscoring the urgent need for enhanced security measures.
These examples are not just numbers— they represent real threats with tangible consequences. The rise in attacks highlights the need for stronger regulations and better security practices. The stakes are high, and we must act before the next breach impacts millions of lives.
Leveraging advanced technologies: The technical arsenal for IoT security
To tackle these threats, we need to harness the latest technological advancements. AI can analyse vast amounts of data from IoT devices, identifying potential threats before they escalate. For example, in smart manufacturing, AI can monitor machinery for unusual behavior, preventing potential disruptions.
Blockchain technology offers another layer of protection by ensuring data integrity and access control. It is like having a digital ledger that is nearly impossible to tamper with, making it ideal for securing IoT data.
ZTA is also gaining traction. Unlike traditional security models that assume trust once inside a network, ZTA continuously verifies every device and user.
Policy recommendations: Securing India’s IoT future
To establish a robust and secure IoT ecosystem in India, the following actionable policy recommendations must be urgently implemented:
Mandatory IoT security certification
India must introduce a comprehensive IoT security certification process that ensures all IoT devices meet stringent security standards before entering the market.
Mirroring the European Union’s Cybersecurity Act, this certification will mandate rigorous product security requirements. By doing so, India can bolster consumer confidence and shield its digital infrastructure from potential breaches, ensuring that IoT adoption grows safely and securely.
The EU's Cybersecurity Act has already shown success in protecting European consumers from vulnerabilities in connected devices. Implementing a similar framework in India would safeguard critical infrastructure, ranging from healthcare systems to smart city technologies, from malicious attacks.
Sector-specific regulations
Different sectors pose different levels of risk, and thus, sector-specific regulations for IoT devices must be established. IoT devices in critical sectors such as healthcare, finance and energy must comply with stricter security requirements than those used in consumer-grade smart homes.
Tailoring regulations to specific industries ensures that the highest-risk areas receive the necessary protection.
The 2021 cyberattack on IoT devices in Indian hospitals exposed sensitive patient data, highlighting the urgent need for stricter regulations in the healthcare sector. Critical infrastructure such as energy grids should be held to the highest security standards to prevent wide-scale disruptions.
Public–private collaboration
Effective IoT security requires a collaborative effort between government, industry and academia. Establishing a National IoT Security Task Force can facilitate this partnership by setting unified standards, sharing best practices, and coordinating a national approach to IoT cybersecurity.
This task force would also serve as a rapid-response unit for emerging IoT threats, providing a forum for continuous engagement among all stakeholders.
Similar models of public-private collaboration in cybersecurity, such as the Cybersecurity and Infrastructure Security Agency (CISA), have proven effective in setting industry-wide standards and providing timely threat intelligence.
IoT devices, especially those in critical infrastructure sectors, must undergo regular cybersecurity audits.
Incentivising research and development
To position India as a global leader in IoT security, the government should provide incentives for research and development in advanced security technologies such as AI, blockchain and ZTA. By fostering innovation hubs dedicated to cybersecurity, India can drive technological advancements that protect its digital ecosystem and set new standards for the international community.
Establishing dedicated innovation zones for cybersecurity research would not only attract domestic talent but also encourage international collaboration, helping India remain at the forefront of the IoT security landscape.
Strengthening cybersecurity laws
Updating the IT Act, 2000, and the National Cyber Security Policy, 2013, is essential to address the specific threats posed by the rapidly expanding IoT ecosystem.
New provisions must be introduced to hold manufacturers accountable for the security of their devices, including penalties for non-compliance and mandatory security assessments before devices are released to the market.
The Supreme Court's landmark judgment in the Puttaswamy case noted that privacy was a fundamental right, highlighting the need for security frameworks that ensure personal data protection. The laws must now extend this protection to the IoT space.
Regular cybersecurity audits
IoT devices, especially those in critical infrastructure sectors, must undergo regular cybersecurity audits. The Computer Emergency Response Team (CERT-In) should oversee these audits to ensure compliance with national security standards, detect vulnerabilities and recommend immediate corrective actions. These audits will create a security-first culture within industries that depend heavily on IoT technologies.
The EU's Cybersecurity Act has already shown success in protecting European consumers from vulnerabilities in connected devices.
In the European Union, regular security audits are a cornerstone of IoT device security management. India can adopt a similar approach by having a central body like CERT-In conduct or supervise these audits to minimise potential risks.
Conclusion: Balancing innovation and security
The potential of IoT to transform industries and improve lives is immense, but it comes with significant risks. Balancing innovation with security is crucial. By strengthening our legal framework, embracing advanced technologies, and fostering collaboration, India can create a secure and resilient IoT ecosystem.
The journey ahead is challenging, but with proactive measures and a commitment to security, we can turn the promise of IoT into a reality while safeguarding our digital future. The time to act is now—before the risks become realities we can no longer control.