AA+W - Fotolia
UK gears up for new laws on IoT security
The UK plans to introduce measures to require that basic cyber security features are built into internet-connected devices
The government is moving ahead with plans to ensure that internet-connected devices making up the internet of things (IoT) are better protected from cyber attacks.
The plans are aimed at ensuring basic cyber security features are built into products and that consumers get better information on how secure IoT devices.
Ahead of potential legislation, the government is launching a five-week public consultation on various issues, including a mandatory labelling scheme to tell consumers how secure IoT products such as “smart” TVs are, and mandatory security requirements for all IoT devices sold in the UK.
The public consultation is part of a wider evidence-based approach to create regulatory proposals for consumer IoT products.
The government plans envisage that retailers will be able to sell only products with an IoT security label that will attest to devices conforming to the top three security requirements set out in the IoT voluntary code of practice (CoP) published by the UK in October 2018.
Alternative options to the label that government is also consulting on would be to mandate retailers to not sell any products that do not adhere to the top three security requirements of the CoP.
The CoP is aimed at helping manufacturers boost the security of internet-connected devices. The of its kind in the world, the Secure by Design CoP was developed by the Department for Digital, Culture, Media and Sport (DCMS) and the National Cyber Security Centre (NCSC). It has already been backed by Centrica Hive, HP, Geo and, more recently, Panasonic.
The top three security requirements set out in the CoP are that:
- IoT device passwords must be unique and not resettable to any universal factory setting.
- Manufacturers of IoT products provide a public point of contact as part of a vulnerability disclosure policy.
- Manufacturers explicitly state the minimum length of time for which the device will receive security updates through an end of life policy.
Following the consultation, the government plans to launch the security label as a voluntary scheme initially to help consumers identify products that have basic security features and those that do not.
Coinciding with the public consultation, the government has published a consumer survey report which tested various label designs with 6,482 UK consumers as part of helping to create a labelling scheme that was backed by evidence. The government has also updated its IoT guidance for consumers, which is available on the DCMS and NCSC websites.
Digital Minister Margot James said many consumer products that are connected to the internet are often found to be insecure, putting consumers’ privacy and security at risk.
“Our Code of Practice was the step towards making sure products have safety features built in from the design stage and not bolted on as an afterthought,” she said. “These new proposals will help to improve the safety of internet-connected devices and is another milestone in our bid to be a global leader in online safety.”
Read more about IoT security
- UK IoT research centre to tackle cyber risk.
- Unconfigured IoT is a security risk, warns researcher.
- Less than half of firms able to detect IoT breaches, study shows.
- BlackBerry licenses security tech to IoT device makers.
- IoT firms sign up to UK security code of practice.
The minister is scheduled to announce the consultation as the next phase in the government’s Secure by Design initiative at the Petras and Institution of Engineering and Technology (IET) Living in the Internet of Things conference in London.
The recently launched Petras 2 (privacy, ethics, trust, reliability, acceptability and security) IoT Centre of National Excellence is aimed at providing a significant boost to research about the collection and communication of data by IoT devices, and is part of the government initiative aimed at designing out cyber threats in IT hardware.
Ian Levy, NCSC technical director, said serious security problems in consumer IoT devices, such as pre-set unchangeable passwords, continue to be discovered.
“It’s unacceptable that these are not being fixed by manufacturers,” he said. “This innovative labelling scheme is good news for consumers, empowering them to make informed decisions about the technology they are bringing into their homes.”
Julian David, CEO of TechUK, said the tech industry association welcomes the publication of the government’s consultation on regulatory next steps for consumer IoT.
“We are pleased the security requirements outlined in the consultation are consistent with the Secure by Design code of practice and key industry standards that already exist for consumer IoT devices.
“This is an important first step in creating flexible and purposeful regulation that stamps out poor security practices, which techUK’s research shows can act as significant barriers on the take-up of consumer IoT devices,” he said.
“The proposals set out have the potential to positively impact the security of devices made across the world, and it is good to see the government is working with international partners to ensure a consistent approach to IoT security.”
The announcement of the consultation comes a day after a government roundtable on IoT security with global technology companies including Amazon, Philips, Panasonic, Samsung, Yale, Legrand and John Lewis. The government said it is working with international partners to ensure the guidelines drive a consistent approach to IoT security.
The proposals set out in the consultation have the potential to impact the security of devices made across the world to meet the UK’s future standards, the government said.
In February, ETSI, the European Standards Organisation, launched Technical specification 103 645, the first globally applicable industry standard on the cyber security of internet-connected consumer devices.
The ETSI specification builds on the Code of practice for consumer IoT security, but has been developed for wider European and global needs. Cybersecurity Tech Accord signatories endorsed the ETSI specification in March 2019.