Cyber Security Regulations For Smart Devices

Uploaded on 2022-02-16 in GOVERNMENT-National, FREE TO VIEW, BUSINESS-Services-Law

The British government has introduced new legislation to Parliament that aims to better protect consumers’ IoT devices from hackers. The Culture Secretary Nadine Dorries has begun the debate on new law to strengthen cyber protections for people’s smartphones, TVs, speakers, routers and digital devices.

The proposed Product Security and Telecoms Infrastructure Bill (PSTI) places new cyber security standards on manufacturers, importers and distributors of Internet-connectable devices, such as phones, tablets, smart TVs and fitness trackers. The legislation will also apply to products that can connect to multiple other devices but not directly to the Internet, like smart light bulbs and smart thermostats.

These requirements include banning universal default passwords, forcing firms to be transparent about actions they are taking to fix security flaws in their products and creating a better public reporting system for any vulnerabilities discovered. In addition, these companies will have a duty to investigate compliance failures, produce statements of compliance and maintain appropriate records of this.

Failure to comply could result in heavy fines issued by a new regulator of up to £10m of 4% of their global turnover, as well as up to £20,000 a day in the case of an ongoing contravention. 

The regulator will also be given the power to require firms to comply with the security requirements, recall their products or stop selling or supplying them altogether. The legislation will empower the government to mandate further security requirements as new threats emerge. It will place new cyber security requirements on the manufacturers and sellers of consumer tech which can connect to the Internet or other devices. Manufacturers will have to be more transparent to customers about the length of time products will receive security updates for connectable products and create a better public reporting system for vulnerabilities found in those products.

The PSTI legislation will apply to ‘connectable’ products. This includes all devices which can access the Internet such as smartphones, smart TVs, games consoles, security cameras and alarm systems, smart toys and baby monitors, smart home hubs and voice-activated assistants, as well as smart home appliances like washing machines and fridges. It also applies to products which can connect to multiple other devices but not directly to the Internet. 

The bill will give ministers powers to put new requirements on the manufacturers, importers and distributors of consumer tech devices. These include:

  • Banning universal default passwords which are pre-set on devices - such as ‘password’ or ‘admin’ - and are an easy target for cyber criminals. Any preloaded product passwords will need to be unique and not resettable to universal factory settings.
  • Requiring device manufacturers to be transparent with consumers about how long they’ll provide security updates for products so people are clearer when they buy. If a product will not receive any security updates the customer must be informed.
  • Ensuring manufacturers have a readily available public point of contact to make it easier for software flaws and bugs to be reported.
  • The bill will also speed up the roll out of faster and more reliable broadband and mobile networks by making it easier for operators to upgrade and share infrastructure. 

A new regulatory organisation will be set up oversee the new cyber security regime and ensure that businesses comply with the measures in place. It will have the power to issue notices to companies requiring they comply with the security requirements, recall insecure products or stop selling or supplying them altogether.

The PSTI regulator will have enforcement powers to levy GDPR-style penalties and companies that fail to comply could be fined £10 million or 4% of their annual revenue, as well as up to £20,000 a day in the case of an ongoing contravention.

Matthew Evans, Director of Markets, TechUK commented: “Industry has long supported the shared ambition to improve the cyber resilience of devices and has worked with government across the Secure-By-Design agenda over the last five years... Most suppliers already adhere to the principles of the legislation and if implemented practically this will both protect consumers and ensure they have access to a wide range of connected devices.” 

The PSTI bill  has been broadly welcomed and the ban on default passwords especially has been widely commended by the cyber security industry as a “common sense” measure. However, criticism has been levelled against some measures, including  the ban on easy-to-guess passwords, as not having been haven’t been thought through and could potentially create new opportunities for threat actors to exploit.

The PSTI does encompass vehicles, smart meters, medical devices, and desktop or laptop computers that connect to the Internet, has given IoT manufacturers 12 months to change their working practices, which means that for the next year, many will continue to churn out inexpensive devices that might not adhere to the most basic of security standards.

The government described it as "a significant step" to protect the UK from hostile activity from both state actors or criminals.

Gov.UK:      Endgadget:    BBC:      Finacial Accountant:    Infosecurity Magazine:     Public Technology:     

DevOps Online:      Techcrunch:   

You Might Also Read:   

Britain's Cyber Security Strategy Focuses On Resilience:

 

« Qbot Malware Can Read Your Email
Ukraine Defence Ministry & Banks Under Cyber Attack »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Cloud Credential Council (CCC)

Cloud Credential Council (CCC)

The CCC is a leading provider of vendor-neutral certification programs that empower IT and business professionals in their digital transformation journey.

Lakeside Software

Lakeside Software

Lakeside Software is how organizations with large, complex IT environments can finally get visibility across their entire digital estates and see how to do more with less.

Fortify Experts

Fortify Experts

Fortify Experts is a search and recruitment firm specializing in Cyber Security.

Oracle Cloud Security

Oracle Cloud Security

Oracle’s cloud security solutions enable organizations to implement and manage consistent security policies across the hybrid data center.

X-act Forensics

X-act Forensics

X-act forensics are computer forensic experts with experience in cases of computer fraud, intellectual property theft, and social networking cases.

BCS Financial

BCS Financial

BCS Financial delivers financial and insurance solutions. Specialty risk products include Cyber and Privacy Liability insurance.

idappcom

idappcom

idappcom provides unique industry approved software solutions for auditing and enhancing the threat recognition and response capabilities of your corporate security defences.

VerifyMe

VerifyMe

VerifyMe is a global technology solutions company delivering brand protection offerings to mitigate counterfeiting, product diversion, and illicit trade.

The Data Privacy Group

The Data Privacy Group

The Data Privacy Group provide expert professional services underpinned by world leading automation tools and a consulting team specialized in privacy and data protection.

Accredia

Accredia

Accredia is the national accreditation body for Italy. The directory of members provides details of organisations offering certification services for ISO 27001.

SaltStack

SaltStack

SaltStack develops award-winning intelligent IT automation software. We help businesses more efficiently secure and manage all aspects of their digital infrastructure.

Authenteq

Authenteq

Authenteq provides an Omni-Channel identity verification and KYC solution that allows your customers to verify their identity through any channel without compromising their privacy.

Open Data Security (ODS)

Open Data Security (ODS)

Open Data Security is a market leader in the information security sector, offering services to companies, governments and individuals, helping them shield from hackers and cyber attacks.

LBMC

LBMC

LBMC is a professional services solutions provider in accounting and finance, human resources, technology, risk and information security, and wealth advisory services.

Mission Critical Partners (MCP)

Mission Critical Partners (MCP)

Mission Critical Partners is committed to delivering innovative solutions that help our clients enhance and evolve their critical-communications systems and operations.

Timus Networks

Timus Networks

Timus Networks enables today's work from anywhere organizations to secure their networks very easily and cost effectively.