Mandatory IoT Security In Britain

The UK government has unveiled a new  IoT law designed to prohibit the sale of smart consumer products that fail to meet three strict security requirements.
 
In its proposal, the UK government noted that it expects 75 billion IoT devices to find their way into homes globally by the end of 2025.  This of course comes at the same time as the UK is allowing controversial 5G network manufacturer, Huawei  to become part of its IT systems network. 
 
The US government  has insisted that Huawei poses an electronic espionage risk and has urged other governments to remove Huawei equipment from mobile network infrastructure, especially as 5G deployment picks up momentum in Europe.
 
The new UK law requires manufacturers to ensure they have cyber security controls to their connected devices.and is aimed at addressing two key elements:  
 
  • First, the consumer’s privacy and safety.
  • Second, the threat of zombified IoTs being used to launch DDoS attacks and damaging the country’s economy. 
The three pillars of the new legislation are the following:
 
1. IoT device passwords must be unique and not resettable to any universal factory setting.
2. Manufacturers of IoT products provide a public point of contact as part of a vulnerability disclosure policy.
3. Manufacturers of IoT products must explicitly state the minimum length of time for which the device will receive security updates. 
 
The Draft Law, was announced on 27th January and requires  IoT device manufacturers to provide a public point of contact so that anyone can report a flaw, to be “acted on in a timely manner."
 
“Our new law will hold firms manufacturing and selling internet-connected devices to account and stop hackers threatening people’s privacy and safety,” Matt Warman, UK Minister for Digital and Broadband, said in a statement. “It will mean robust security standards are built in from the design stage and not bolted on as an afterthought.”
 
The regulation was developed by the Department for Digital, Culture, Media and Sport after an extensive consultation period that kicked off in May 2019, when the UK announced it was accepting regulatory proposal for IoT security regulation. The UK government said that it aims to “deliver the legislation as soon as possible.”
 
Other IoT Regulation
The UK previously only had a voluntary “Secure by Design Code of Practice” for consumer IoT security, launched in 2018; however, this was a guidance and had no penalties for manufacturers who did not comply. However, several more solidified attempts at IoT security regulation do exist globally.
 
The closest of these to become law in the US is the California Senate Bill 327, which would require “reasonable security feature or features that are appropriate to the nature and function of the device.” SB-327, which was first proposed in 2018 and became law in January 2020. This was argued against by the security community, which said that it was a good first step but did not go far enough in regulating IoT security.
 
Over the past years, vulnerabilities in an array of devices have made headlines: including the smartwatch TicTocTrack, which was discovered to be plagued by security issues that could allow hackers to track and call children. In this respect, the UK Information Commissioner has recently introduced new standards for the protection of children's privacy
 
There have also been problems revealed in a popular smart deadbolt that could allow attackers to remotely unlock doors and break into homes; and flaws in more than 2 million IP security cameras, baby monitors and smart doorbells that could enable an attacker to hijack the devices and spy on their owners. Researchers continue to find basic security issues in IoT devices that are on the market. 
 
Threatpost:         Infosecuity Magazine:     TechNadu:       Gizmodo:       The Verge
 
You Might Also Read: 
 
Finland Has A Cyber Security Standard For IoT:
 
 
 
« The Worst Corporate Hacks In 2019 Could Have Been Prevented
Smart Cities Will Soon Be Under Attack »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

AlgoSec

AlgoSec

The AlgoSec platform enables the world’s most complex organizations to gain visibility, reduce risk and process changes at zero-touch across the hybrid network.

CCL Solutions Group

CCL Solutions Group

CCL is one of Europe’s leading digital investigation specialists, supporting law enforcement, government and organisations across both public and private sectors.

Avanan

Avanan

Avanan is The Cloud Security Platform. Protect all your SaaS applications using tools from over 60 industry-leading vendors in just one click.

Cyber Security Research Centre - University of Cardiff

Cyber Security Research Centre - University of Cardiff

Cardiff University's Centre for Cyber Security Research is a leading UK academic research unit for cyber security analytics.

Axiad IDS

Axiad IDS

Axiad IDS is a Trusted Identity solutions provider for enterprise, government and financial organizations.

GreyCampus

GreyCampus

GreyCampus is a leading provider of training for working professionals in the areas of Project Management, Big Data, Data Science, Service Management, Quality Management and Information Security.

International Consortium of Minority Cybersecurity Professionals (ICMCP)

International Consortium of Minority Cybersecurity Professionals (ICMCP)

ICMCP was launched to help bridge the ‘great cyber divide’ that results from the underrepresentation of minorities and women in the field of cyber security.

Egyptian Supreme Cybersecurity Council (ESCC)

Egyptian Supreme Cybersecurity Council (ESCC)

ESCC is responsible for developing a national strategy to face and respond to the cyber threats and attacks and to oversee its implementation and update.

Oznet Cyber Security

Oznet Cyber Security

Oznet Cyber Security is dedicated to offering integral solutions oriented to the support and security of information.

Kingsley Napley

Kingsley Napley

Cyber crime is an area of growing legal complexity. Our team of cyber crime lawyers have vast experience of the law in this area.

CyCognito

CyCognito

CyCognito empowers companies to take full control over their attack surface by uncovering and eliminating the critical security risks they didn't even know existed.

Digitale Gründerinitiative Oberpfalz (DGO)

Digitale Gründerinitiative Oberpfalz (DGO)

Digital Founder Initiative Oberpfalz's goal is to build a sustainable start-up culture in the field of digitization throughout the Upper Palatinate district of Bavaria.

Vala Secure

Vala Secure

Vala Secure is a cybersecurity and compliance consultancy that always stays ahead of regulations, future threats and ever-changing security environments.

Logically.ai

Logically.ai

Logically combines artificial intelligence with expert analysts to tackle harmful and manipulative content at speed and scale.

Censinet

Censinet

Censinet provides the first and only third-party risk management platform for healthcare organizations to manage the threats to patient care that exist within an expanding ecosystem.

JLS Technology

JLS Technology

Since 2007, JLS Tech has been recognized as one of the world’s most innovative cybersecurity and technology operations leaders.