After a seven-month study with participation from the National Cyber Security Centre (NCSC), academics and retailers, the UK government has proposed the development of new IoT security regulations.
The UK Department for Digital, Culture, Media and Sport released a draft proposal and consultation outcome this Monday titled, “Government response to the Regulatory proposals for consumer Internet of Things (IoT) security consultation.”
Previously the UK has followed voluntary measures for IoT cybersecurity, however such devices are at high risk of attack and their security has been questioned. ThreatPost reports on US findings that 82% of connected medical devices had been targeted by cyberattackers in the past year, for example.
The report notes that the number of IoT devices in use is expected to be more than 75 billion by 2025. This massively widens the scope of attack for cybercriminals, especially if such devices aren’t as well protected as the business networks they are connected to. The consumer threat is also very real.
Matt Warman, the UK minister for Digital and Broadband at the Department for Digital, Culture, Media and Sport says the increasing number of IoT devices and the related security risks need an alternative to the current status quo. Warman outlines:
“Whilst the U.K. government has previously encouraged industry to adopt a voluntary approach, it is now clear that decisive action is needed to ensure that strong cyber security is built into these products by design. Citizens’ privacy and safety must not be put at risk because some manufacturers will not take responsibility for ensuring that security is built into their products before they reach UK consumers.”
Warman warns that, “there is a risk that any compromised vulnerability within a device could result in real harm. Therefore urgent joint Government and industry action is required to address these challenges.”
He stresses that IoT products should be, “secure by design,” and that 90% of 331 manufacturers supplying the UK market with IoT devices assessed in 2018, “did not possess a comprehensive vulnerability disclosure programme up to the level we would expect.” He adds:
“Breaches involving connected devices are increasingly becoming common, simply because manufacturers had not built important security requirements, such as using unique credentials, into their products.”
The UK government department’s consultation on the regulation of IoT devices builds on the Code of Practice for Consumer IoT Security that was published in 2019. The department has also been working globally to “create international alignment on IoT security.” Warman’s team is advocating a “staged approach” to enforcing better IoT cybersecurity principles, “through regulation – starting with ensuring stronger security is built into products.”
Under the proposed laws IoT device manufacturers will need to ensure all devices have a unique password not able to be reset to a universal factory setting and provide a public support point for the reporting of vulnerabilities. Makers will also need to give guidance on when security updates for their IoT devices will be released. Warman says:
“Our new law will hold firms manufacturing and selling internet-connected devices to account and stop hackers threatening people’s privacy and safety,”
As per BankInfoSecurity, Brian Honan, the president of Dublin-based cybersecurity consultancy BH Consulting says:
“The rules do not cover all aspects of IoT security and indeed the U.K. government acknowledges this by stating the rules are no silver bullet. Hopefully, over time this will evolve.”
Honan suggests the UK government should also look to do more to secure the systems that IoT devices create.
Ken Munro, partner at Pen Test Partners, told ThreatPost that “there is clearly broad support for the proposed regulation of consumer smart devices, however without swift legislation this is just another meaningless consultation.” Munro adds:
“The government needs to act now to help protect us from smart device manufacturers who play fast and loose with our privacy, safety and security. I’m supportive of the government’s proposed legislation, so long as it is the first step on a path towards wide-ranging, robust regulation of the internet of things.”
As per the BBC, a spokesperson from the Department of Digital, Culture, Media and Sport was unable to confirm when the proposed legislation would be ready.
– Engage your staff with scenario-based security awareness training or “In-the-Moment” training.
The published consultation document says the next steps for developing legislation will be to “conduct further stakeholder engagement,” in order to develop, “regulatory options.” The continued work by the UK government department will lead to the publishing of a “final stage regulatory impact assessment later in 2020.”
Whilst any legislation is still at the consultancy stage, the cyber threat to IoT devices and the networks they connect to remains. For consumer cybersecurity much of the onus, at least initially, will be on the manufacturer. For organisations this is much different.
Though the ideal is for businesses to buy devices with better security built in, the reality is that any organisation has a responsibility for its own cybersecurity. Connecting an IoT device to a business network should be taken as seriously and more as connecting a new PC, installing new software, or moving files to the cloud.
Cybersecurity strategy and threat protection systems should encompass any device, IoT, mobile, POS or otherwise. And, employees who use such devices should be educated as to the risks they pose and the cyber attacks that can occur through these mediums.
Kaspersky, late last year, released a report that revealed the cybersecurity company had found 105 million attacks on IoT devices in the first half of 2019.
Interested in learning more about how security awareness training can help your organisation? Sign up for a free demo of the world’s most interactive security awareness training.
Subscribe to the Proofpoint Blog