Cyber Security Regulations For Smart Devices

Uploaded on 2022-02-16 in GOVERNMENT-National, FREE TO VIEW, BUSINESS-Services-Law

The British government has introduced new legislation to Parliament that aims to better protect consumers’ IoT devices from hackers. The Culture Secretary Nadine Dorries has begun the debate on new law to strengthen cyber protections for people’s smartphones, TVs, speakers, routers and digital devices.

The proposed Product Security and Telecoms Infrastructure Bill (PSTI) places new cyber security standards on manufacturers, importers and distributors of Internet-connectable devices, such as phones, tablets, smart TVs and fitness trackers. The legislation will also apply to products that can connect to multiple other devices but not directly to the Internet, like smart light bulbs and smart thermostats.

These requirements include banning universal default passwords, forcing firms to be transparent about actions they are taking to fix security flaws in their products and creating a better public reporting system for any vulnerabilities discovered. In addition, these companies will have a duty to investigate compliance failures, produce statements of compliance and maintain appropriate records of this.

Failure to comply could result in heavy fines issued by a new regulator of up to £10m of 4% of their global turnover, as well as up to £20,000 a day in the case of an ongoing contravention. 

The regulator will also be given the power to require firms to comply with the security requirements, recall their products or stop selling or supplying them altogether. The legislation will empower the government to mandate further security requirements as new threats emerge. It will place new cyber security requirements on the manufacturers and sellers of consumer tech which can connect to the Internet or other devices. Manufacturers will have to be more transparent to customers about the length of time products will receive security updates for connectable products and create a better public reporting system for vulnerabilities found in those products.

The PSTI legislation will apply to ‘connectable’ products. This includes all devices which can access the Internet such as smartphones, smart TVs, games consoles, security cameras and alarm systems, smart toys and baby monitors, smart home hubs and voice-activated assistants, as well as smart home appliances like washing machines and fridges. It also applies to products which can connect to multiple other devices but not directly to the Internet. 

The bill will give ministers powers to put new requirements on the manufacturers, importers and distributors of consumer tech devices. These include:

  • Banning universal default passwords which are pre-set on devices - such as ‘password’ or ‘admin’ - and are an easy target for cyber criminals. Any preloaded product passwords will need to be unique and not resettable to universal factory settings.
  • Requiring device manufacturers to be transparent with consumers about how long they’ll provide security updates for products so people are clearer when they buy. If a product will not receive any security updates the customer must be informed.
  • Ensuring manufacturers have a readily available public point of contact to make it easier for software flaws and bugs to be reported.
  • The bill will also speed up the roll out of faster and more reliable broadband and mobile networks by making it easier for operators to upgrade and share infrastructure. 

A new regulatory organisation will be set up oversee the new cyber security regime and ensure that businesses comply with the measures in place. It will have the power to issue notices to companies requiring they comply with the security requirements, recall insecure products or stop selling or supplying them altogether.

The PSTI regulator will have enforcement powers to levy GDPR-style penalties and companies that fail to comply could be fined £10 million or 4% of their annual revenue, as well as up to £20,000 a day in the case of an ongoing contravention.

Matthew Evans, Director of Markets, TechUK commented: “Industry has long supported the shared ambition to improve the cyber resilience of devices and has worked with government across the Secure-By-Design agenda over the last five years... Most suppliers already adhere to the principles of the legislation and if implemented practically this will both protect consumers and ensure they have access to a wide range of connected devices.” 

The PSTI bill  has been broadly welcomed and the ban on default passwords especially has been widely commended by the cyber security industry as a “common sense” measure. However, criticism has been levelled against some measures, including  the ban on easy-to-guess passwords, as not having been haven’t been thought through and could potentially create new opportunities for threat actors to exploit.

The PSTI does encompass vehicles, smart meters, medical devices, and desktop or laptop computers that connect to the Internet, has given IoT manufacturers 12 months to change their working practices, which means that for the next year, many will continue to churn out inexpensive devices that might not adhere to the most basic of security standards.

The government described it as "a significant step" to protect the UK from hostile activity from both state actors or criminals.

Gov.UK:      Endgadget:    BBC:      Finacial Accountant:    Infosecurity Magazine:     Public Technology:     

DevOps Online:      Techcrunch:   

You Might Also Read:   

Britain's Cyber Security Strategy Focuses On Resilience:

 

« Qbot Malware Can Read Your Email
Ukraine Defence Ministry & Banks Under Cyber Attack »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Cyber Defense Media Group (CDMG)

Cyber Defense Media Group (CDMG)

CDMG is the leading global media group for all things cyber defense.

Hack in the Box Security Conference (HitBSecConf)

Hack in the Box Security Conference (HitBSecConf)

HITBSecConf is a platform for the discussion and dissemination of next generation computer security issues. Our events feature two days of training and a two-day multi-track conference

ZM CIRT

ZM CIRT

ZM CIRT is the national Computer Incident Response Team for Zambia.

ERNW

ERNW

ERNW is an independent IT Security service provider with a focus on consulting and testing in all areas of IT security.

Terranova Security

Terranova Security

Terranova is dedicated to providing information security awareness programs customized to your internal policies and procedures.

Lumen Technologies

Lumen Technologies

Lumen is an enterprise technology platform that enables companies to capitalize on emerging applications and power the 4th Industrial Revolution (4IR).

Emirates International Accreditation Center (EIAC)

Emirates International Accreditation Center (EIAC)

EIACI is the national accreditation body for the United Arab Emirates. The directory of members provides details of organisations offering certification services for ISO 27001.

SlowMist

SlowMist

SlowMist is a blockchain ecosystem security company providing cybersecurity audits and protection for leading digital asset exchanges, crypto wallets, public chains, and smart contracts.

DigiSec360

DigiSec360

DigiSec360 is a technology firm focused on the human element of cybersecurity.

EnigmaSoft

EnigmaSoft

EnigmaSoft is known for its PC anti-malware remediation utility and service under the tradename SpyHunter.

ADL Consulting

ADL Consulting

ADL Consulting provide information security-related consultancy and training support to businesses across the UK. Our services include ISO27001, GDPR, Cyber Essentials and training.

Lattice Semiconductor

Lattice Semiconductor

Lattice Semiconductor solves customer problems across the network, from the Edge to the Cloud, in the growing communications, computing, industrial, automotive and consumer markets.

Secure Diversity

Secure Diversity

Secure Diversity is an innovative non-profit organization with leaders that think out of the box to create strategies & solutions to increase diversity in the cybersecurity industry.

Abertay cyberQuarter

Abertay cyberQuarter

The Abertay cyberQuarter is a cybersecurity research and development centre housed within Abertay University.

Cytex

Cytex

Cytex is the All-in-One solution for SMB data protection & compliance needs.

ITConnexion

ITConnexion

ITConnexion is an Australian-based Managed IT Service with over 20 years of experience. We offer a complete IT management service for non-profits, SMEs, and enterprises.