UK Government Tightens Law Around IoT Cybersecurity

Last week, digital minister Matt Warman, announced a new law that will force smart device manufacturers to adhere to a set of strict IoT cybersecurity requirements.

“We want to make the UK the safest place to be online with pro-innovation regulation that breeds confidence in modern technology,” stated Warman.

“Our new law will hold firms manufacturing and selling internet-connected devices to account and stop hackers threatening people’s privacy and safety.

“It will mean robust security standards are built in from the design stage and not bolted on as an afterthought.”

As proposed in the initial DCMS consultation that happened in the spring of 2019, the new legislation will encompass three critical rules:

  • That IoT device manufacturers must have a public point of contact for anybody to report a vulnerability, and that reports are quickly acted upon
  • That all consumer IoT device passwords must be unique and not resettable to any factory setting
  • That manufacturers must explicitly state a minimum length of time for which devices will receive security patches when sold

These measures were created after also gathering input from industry and the NCSC (National Cyber Security Centre). DCMS said that they would be setting new standards for best practice requirements for all those that make and sell smart, connected devices to customers.

This new legislation builds on a voluntary Secure by Design code of practice for consumer IoT good. This was introduced by the government in 2018. A first of its kind globally, the code sets the standard for tougher security measures to be designed and ingrained in IoT products.

ETSI (European standards body) has also published a globally applicable standard based on the UK’s standard. DCMS said the government planned on further developing legislation that protects customer more effectively, supports the long-term growth of IoT and is easily implemented by end-users.

Policy and communications director at the NSCS, Nicola Hudson, said the legislation should be widely welcomed saying “It will give shoppers increased peace of mind that the technology they are bringing into their homes is safe, and that issues such as pre-set passwords and sudden discontinuation of security updates are a thing of the past.”

“Consumer IoT devices can deliver real benefits to individuals and society, but TechUK’s research shows that concerns over poor security practices act as a significant barrier to their take-up,” said Matthew Evans, director of markets at TechUK.

He added, “TechUK is therefore supportive of the government’s commitment to legislate for cyber security to be built into consumer IoT products from the design stage. TechUK has been working on these three principles for the past four years.”

John Moor, managing director of the IoT Security Foundation went on to say that over the last five years, there has been a lot of concern voiced regarding vulnerable consumers and inadequate IoT cybersecurity protection.

He went on to add, “Understanding the complex nature of IoT security and determining the minimum requirements has been a challenge, yet after a thorough and robust consultation, those baseline requirements have now been universally agreed.

“The IoT Security Foundation welcomes the results of the consultation as it not only provides clarity for industry, but is great news for consumers and bad news for hackers.”

Some of the biggest risks exist to companies where employees bring their own IoT connected devices into the workplace. This practice could put organisations at risk from cyberattacks because enterprise security teams aren’t always aware that these devices are linked to the network.

Are you looking for a new challenge in the Dynamics 365 or Salesforce industry? Click here to see our vacancies.