Cyber Security Regulations For Smart Devices

Uploaded on 2022-02-16 in GOVERNMENT-National, FREE TO VIEW, BUSINESS-Services-Law

The British government has introduced new legislation to Parliament that aims to better protect consumers’ IoT devices from hackers. The Culture Secretary Nadine Dorries has begun the debate on new law to strengthen cyber protections for people’s smartphones, TVs, speakers, routers and digital devices.

The proposed Product Security and Telecoms Infrastructure Bill (PSTI) places new cyber security standards on manufacturers, importers and distributors of Internet-connectable devices, such as phones, tablets, smart TVs and fitness trackers. The legislation will also apply to products that can connect to multiple other devices but not directly to the Internet, like smart light bulbs and smart thermostats.

These requirements include banning universal default passwords, forcing firms to be transparent about actions they are taking to fix security flaws in their products and creating a better public reporting system for any vulnerabilities discovered. In addition, these companies will have a duty to investigate compliance failures, produce statements of compliance and maintain appropriate records of this.

Failure to comply could result in heavy fines issued by a new regulator of up to £10m of 4% of their global turnover, as well as up to £20,000 a day in the case of an ongoing contravention. 

The regulator will also be given the power to require firms to comply with the security requirements, recall their products or stop selling or supplying them altogether. The legislation will empower the government to mandate further security requirements as new threats emerge. It will place new cyber security requirements on the manufacturers and sellers of consumer tech which can connect to the Internet or other devices. Manufacturers will have to be more transparent to customers about the length of time products will receive security updates for connectable products and create a better public reporting system for vulnerabilities found in those products.

The PSTI legislation will apply to ‘connectable’ products. This includes all devices which can access the Internet such as smartphones, smart TVs, games consoles, security cameras and alarm systems, smart toys and baby monitors, smart home hubs and voice-activated assistants, as well as smart home appliances like washing machines and fridges. It also applies to products which can connect to multiple other devices but not directly to the Internet. 

The bill will give ministers powers to put new requirements on the manufacturers, importers and distributors of consumer tech devices. These include:

  • Banning universal default passwords which are pre-set on devices - such as ‘password’ or ‘admin’ - and are an easy target for cyber criminals. Any preloaded product passwords will need to be unique and not resettable to universal factory settings.
  • Requiring device manufacturers to be transparent with consumers about how long they’ll provide security updates for products so people are clearer when they buy. If a product will not receive any security updates the customer must be informed.
  • Ensuring manufacturers have a readily available public point of contact to make it easier for software flaws and bugs to be reported.
  • The bill will also speed up the roll out of faster and more reliable broadband and mobile networks by making it easier for operators to upgrade and share infrastructure. 

A new regulatory organisation will be set up oversee the new cyber security regime and ensure that businesses comply with the measures in place. It will have the power to issue notices to companies requiring they comply with the security requirements, recall insecure products or stop selling or supplying them altogether.

The PSTI regulator will have enforcement powers to levy GDPR-style penalties and companies that fail to comply could be fined £10 million or 4% of their annual revenue, as well as up to £20,000 a day in the case of an ongoing contravention.

Matthew Evans, Director of Markets, TechUK commented: “Industry has long supported the shared ambition to improve the cyber resilience of devices and has worked with government across the Secure-By-Design agenda over the last five years... Most suppliers already adhere to the principles of the legislation and if implemented practically this will both protect consumers and ensure they have access to a wide range of connected devices.” 

The PSTI bill  has been broadly welcomed and the ban on default passwords especially has been widely commended by the cyber security industry as a “common sense” measure. However, criticism has been levelled against some measures, including  the ban on easy-to-guess passwords, as not having been haven’t been thought through and could potentially create new opportunities for threat actors to exploit.

The PSTI does encompass vehicles, smart meters, medical devices, and desktop or laptop computers that connect to the Internet, has given IoT manufacturers 12 months to change their working practices, which means that for the next year, many will continue to churn out inexpensive devices that might not adhere to the most basic of security standards.

The government described it as "a significant step" to protect the UK from hostile activity from both state actors or criminals.

Gov.UK:      Endgadget:    BBC:      Finacial Accountant:    Infosecurity Magazine:     Public Technology:     

DevOps Online:      Techcrunch:   

You Might Also Read:   

Britain's Cyber Security Strategy Focuses On Resilience:

 

« Qbot Malware Can Read Your Email
Ukraine Defence Ministry & Banks Under Cyber Attack »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

ShadowDragon

ShadowDragon

ShadowDragon develops digital tools that simplify the complexities of modern investigations that involve multiple online environments and technologies.

DataProtect

DataProtect

DataProtect is a specialized information security company providing consultancy, information management, integration and training services.

Infosec (T)

Infosec (T)

Infosec (T) Limited is an independent Tanzania based consultancy specializing in IT governance, information security and IT audit.

IBA Security

IBA Security

IBA Security is a center of competence consolidating the cybersecurity expertise of the IBA Group.

InnoValor

InnoValor

InnoValor realises value from digital innovation for organisations and government. We provide advisory services and develop innovative software solutions, based on our background in research.

Strategic Cyber Ventures (SCV)

Strategic Cyber Ventures (SCV)

SCV grow cybersecurity companies that disrupt advanced cyber adversaries and revolutionize the cyber product marketplace.

CyberCX

CyberCX

CyberCX provides services from strategic consulting, security testing and training to world-class managed services and engineering solutions.

InfoExpress

InfoExpress

InfoExpress provides network security solutions that enhance productivity and security through better visibility, improved security, and automating device and mobile access to the network.

Lionfish Cyber Security

Lionfish Cyber Security

Lionfish Cyber Evolution & Empowerment Model™ empowers SMBs to prepare and protect themselves against cyber threats using a unique combination of on-demand training, support and managed services.

Institute for Security and Technology (IST)

Institute for Security and Technology (IST)

The Institute for Security and Technology's goal is to provide the tools and insights needed for companies and governments to outpace emerging global security threats.

Lancera

Lancera

Lancera provides growth accelerating Software Development, Web Presence and Cybersecurity Solutions with a focus on customer happiness.

Tozny

Tozny

Tozny offers products with security and privacy in mind that are built on the foundation of end-to-end encryption, and open-source verifiable software.

Frontier Technology Inc. (FTI)

Frontier Technology Inc. (FTI)

Frontier Technology Inc provides the technology and deep data expertise to drive the best defense and intelligence solutions.

Icon Information Systems (ICONIS)

Icon Information Systems (ICONIS)

ICONIS is an integrated infrastructure and service provider, offering unified Information Technology (IT) solutions globally.

Cypherleak

Cypherleak

Cypherleak provide Automated Cyber Risk Monitoring & Ai powered cyber recommendations.

Cyber Overwatch

Cyber Overwatch

Cyber Overwatch holds your hand, giving you the tools to detect threats, monitor your cyber footprint, and secure your organisation, before attackers strike.