Ofcom publishes plan to support UK internet of things

With 40 million devices already connected, telecoms regulator Ofcom has published plans to put the UK at the forefront of technological evolution

With 40 million devices already connected via the internet of things (IoT) in the UK, telecoms regulator Ofcom has published plans to put the country at the forefront of technological evolution.

This number is expected to increase to around 320 million in the UK alone by 2022, with the IoT a major driver of investment and innovation in the communications sector.

The regulator wants to ensure the UK plays a leading role in developing IoT, ensuring it is done with security in mind and there is enough spectrum available.

The plan is in response to a consultation launched in July 2014 and addresses several key areas including data privacy, spectrum availability, network security and resilience, and network addresses.

Ofcom has pledged to work with the government, the information commissioner’s office, other regulators and industry to support the progress of IoT nationally and internationally.

The plan aims to create a regulatory environment that fosters investment and innovation in IoT, which is expected to see billions of devices connected to the internet and each other.

Some estimates put the number of IoT devices worldwide at one trillion by 2020, but research firm Ovum believes that 30 to 50 billion is a much more realistic estimate.

Applications of IoT technologies range from wirelessly connected sensors used for smart farming – where fertiliser and water are automatically distributed across a farm to increase efficiency – to intelligent traffic management systems and smart energy grids, which match power generated to consumers’ electricity needs.

Many IoT devices will communicate wirelessly, making the availability of spectrum an important factor.

Ofcom’s analysis has shown much of the IoT’s short to medium-term spectrum demands are met with current initiatives.

In 2014, Ofcom made spectrum available in the 870/915MHz bands and liberalised licence conditions for existing mobile bands.

Ofcom also noted some IoT devices could make use of the spectrum at 2.4 and 5GHz, which is used by a range of services including Wi-Fi. However, as the IoT sector develops there may be a need for additional spectrum in the longer term, in particular below 1GHz.

Ofcom has pledged to continue to monitor IoT spectrum use, in particular in licence exempt bands, to help identify when additional spectrum may be needed.

Protection of personal information key to IoT development

Protection of individuals’ personal information is a key part of the development of the IoT and will be covered under existing legislation, such as the Data Protection Act 1998.

However, traditional approaches to data privacy may have limitations in the context of the IoT, and Ofcom has undertaken to work with other stakeholders to explore solutions to data privacy issues.

We want to develop a framework for this technology to evolve in a way which will ultimately benefit citizens and consumers

Steve Unger, Ofcom

As IoT becomes ubiquitous, secure and reliable networks and data storage will become increasingly important.

For this reason, Ofcom has undertaken to investigate how its existing activities on security and resilience of the UK’s communications networks can include the IoT.

Security experts have raised concerns about security weaknesses in IoT devices, in particular with regard to industrial control systems in critical infrastructures that are increasingly using IoT technologies.

A recent survey revealed 88% of IT professionals and executives in the energy, retail and financial sectors are not confident in the secure configuration of their industrial controllers.

Nearly a quarter of critical infrastructure employees polled said they had already connected an IoT device to their company network.

And fewer than one in four IT professionals are confident in the secure configuration of IoT devices that are already on enterprise networks.

These IoT devices include internet phones, sensors for physical security, smart controllers for lights, heating, ventilation and air conditioning, point-of-sale devices and industrial controllers. 

Ofcom monitoring IPv6 connectivity progress 

IoT services are also likely to use bespoke addressing systems or addresses based on the internet standard known as IPv6, the latest version of the internet protocol which is able to support connections between a significantly greater number of devices.

To support this, Ofcom will continue to monitor the progress already being made by internet service providers in supporting IPv6 connectivity.

Ofcom’s plan is aimed at ensuring the UK has the tools and infrastructure to allow the IoT to develop unhindered.

To support this, Ofcom has already released spectrum for machine-to-machine uses, making the UK among the first countries in Europe to do so.

Ofcom chief executive Steve Unger said the internet of things will bring benefits to a range of sectors and has the potential to change the way people live their lives.

“As a result of this growth, we have listened closely to the industry and want to develop a framework for this technology to evolve in a way which will ultimately benefit citizens and consumers,” he said.

Publication of the Ofcom plan coincides with the release of a report on IoT by the US Federal Trade Commission (FTC).

The report recognises the potential benefits of IoT, but urges US companies to adopt best practices to address consumer privacy and security risks.

IoT security recommendations

The FTC recommends a series of concrete steps that businesses can take to enhance and protect consumers’ privacy and security.

FTC chairwoman Edith Ramirez said the only way for the IoT to reach its full innovation potential is with the trust of consumers.

“We believe that by adopting the best practices we’ve laid out, businesses will be better able to provide consumers the protections they want and allow the benefits of the internet of things to be fully realised,” she said.

The report includes the following recommendations for companies developing IoT devices:

  • build security into devices at the outset, rather than as an afterthought in the design process;
  • train employees about the importance of security, and ensure security is managed at an appropriate level in the organisation;
  • ensure when outside service providers are hired, that those providers are capable of maintaining reasonable security, and provide reasonable oversight of the providers;
  • when a security risk is identified, consider a defence-in-depth strategy whereby multiple layers of security may be used to defend against a particular risk;
  • consider measures to keep unauthorised users from accessing a consumer’s device, data or personal information stored on the network;
  • monitor connected devices throughout their expected life cycle and, where feasible, provide security patches to cover known risks.

Commission staff also recommend that companies consider data minimisation, limiting the collection of consumer data, and retaining that information only for a set period of time.

The FTC also recommends companies notify consumers and give them choices about how their information will be used, particularly when the data collection is beyond consumers’ reasonable expectations.

On the topic of legislation, the FTC agrees with many stakeholders that any IoT-specific legislation would be premature at this point in time given the rapidly evolving nature of the technology.

However, the report reiterates the FTC’s repeated call for strong data security and breach notification legislation.

Read more on Internet of Things (IoT)