UK government unveils new details for IoT security standards
The proposals set forward by the Department of Digital, Culture, Media and Sport are now open for feedback, with the intention to lead the world on consumer IoT security standards.
July 16, 2020
The proposals set forward by the Department of Digital, Culture, Media and Sport are now open for feedback, with the intention to lead the world on consumer IoT security standards.
Although the technology industry is rapidly connecting everything it possibly can, little thought has been afforded to digital security. This is hardly a surprise, security is often an afterthought, though the UK Government is stepping in to effectively force IoT product manufacturers and the software service providers to offer adequate protections.
These proposals will include new standards for security, rules for customer information and the creation of a new enforcement agency which will have the power to ban sales of products.
“This is a significant step forward in our plans to help make sure smart products are secure and people’s privacy is protected,” said Digital Infrastructure Minister Matt Warman. “I urge organisations to respond to these proposals so we can make the UK the safest place to be online with pro-innovation regulation that inspires consumer confidence in our tech products. People should continue to change default passwords on their smart devices and regularly update software to help protect themselves from cyber criminals.”
“People are at risk because fundamental security flaws in their connected devices are often not fixed – and manufacturers need to take this seriously,” said National Cyber Security Centre Technical Director Dr Ian Levy. “We would encourage all consumer device manufacturers to make their views heard and help us ensure the technology people bring into their homes is as safe and secure as possible.”
The new standard will start with three important rules:
Device passwords must be unique and not resettable to any universal factory setting
Manufacturers must provide a public point of contact so anyone can report a vulnerability
Information stating the minimum length of time for which the device will receive security updates must be provided to customers
These are the minimum standards which will be accepted under the new approach for consumer IoT security, though more may be introduced. Failure to meet these rules, or any new ones which emerge from the consultation period, would see the company square up the new enforcement authority which could have the power to:
Temporarily ban the supply or sale of the product while tests are undertaken
Permanently ban insecure products, if a breach of the regulations is identified
Serve a recall notice, compelling manufacturers or retailers to take steps to organise the return of the insecure product from consumers
Apply to the court for an order for the confiscation or destruction of a dangerous product
Issue a penalty notice imposing a fine directly on a business
As the idea of IoT becomes more normalised, and connectivity is embedded in more products as standard, the importance of cybersecurity will exponentially increase. The Government believes that of the 20 billion IoT devices which are operational worldwide today, only 13% are adequately protected. This is a very worrying proportion.
Unfortunately, the industry has shown it is not capable of delivering security (or privacy for that matter) on its own, therefore Government intervention is needed. The UK Government should be applauded for its efforts to create a minimum standard for consumer IoT products, and one would hope other nations would follow the lead.
About the Author
You May Also Like