Mandatory IoT Security In Britain

Uploaded on 2020-02-03 in GOVERNMENT-National, FREE TO VIEW, BUSINESS-Services-Law, BUSINESS-Services-IT & Telecoms, TECHNOLOGY--Developments, TECHNOLOGY-Key Areas-Internet of Things

The UK government has unveiled a new  IoT law designed to prohibit the sale of smart consumer products that fail to meet three strict security requirements.
 
In its proposal, the UK government noted that it expects 75 billion IoT devices to find their way into homes globally by the end of 2025.  This of course comes at the same time as the UK is allowing controversial 5G network manufacturer, Huawei  to become part of its IT systems network. 
 
The US government  has insisted that Huawei poses an electronic espionage risk and has urged other governments to remove Huawei equipment from mobile network infrastructure, especially as 5G deployment picks up momentum in Europe.
 
The new UK law requires manufacturers to ensure they have cyber security controls to their connected devices.and is aimed at addressing two key elements:  
 
  • First, the consumer’s privacy and safety.
  • Second, the threat of zombified IoTs being used to launch DDoS attacks and damaging the country’s economy. 
The three pillars of the new legislation are the following:
 
1. IoT device passwords must be unique and not resettable to any universal factory setting.
2. Manufacturers of IoT products provide a public point of contact as part of a vulnerability disclosure policy.
3. Manufacturers of IoT products must explicitly state the minimum length of time for which the device will receive security updates. 
 
The Draft Law, was announced on 27th January and requires  IoT device manufacturers to provide a public point of contact so that anyone can report a flaw, to be “acted on in a timely manner."
 
“Our new law will hold firms manufacturing and selling internet-connected devices to account and stop hackers threatening people’s privacy and safety,” Matt Warman, UK Minister for Digital and Broadband, said in a statement. “It will mean robust security standards are built in from the design stage and not bolted on as an afterthought.”
 
The regulation was developed by the Department for Digital, Culture, Media and Sport after an extensive consultation period that kicked off in May 2019, when the UK announced it was accepting regulatory proposal for IoT security regulation. The UK government said that it aims to “deliver the legislation as soon as possible.”
 
Other IoT Regulation
The UK previously only had a voluntary “Secure by Design Code of Practice” for consumer IoT security, launched in 2018; however, this was a guidance and had no penalties for manufacturers who did not comply. However, several more solidified attempts at IoT security regulation do exist globally.
 
The closest of these to become law in the US is the California Senate Bill 327, which would require “reasonable security feature or features that are appropriate to the nature and function of the device.” SB-327, which was first proposed in 2018 and became law in January 2020. This was argued against by the security community, which said that it was a good first step but did not go far enough in regulating IoT security.
 
Over the past years, vulnerabilities in an array of devices have made headlines: including the smartwatch TicTocTrack, which was discovered to be plagued by security issues that could allow hackers to track and call children. In this respect, the UK Information Commissioner has recently introduced new standards for the protection of children's privacy
 
There have also been problems revealed in a popular smart deadbolt that could allow attackers to remotely unlock doors and break into homes; and flaws in more than 2 million IP security cameras, baby monitors and smart doorbells that could enable an attacker to hijack the devices and spy on their owners. Researchers continue to find basic security issues in IoT devices that are on the market. 
 
Threatpost:         Infosecuity Magazine:     TechNadu:       Gizmodo:       The Verge
 
You Might Also Read: 
 
Finland Has A Cyber Security Standard For IoT:
 
 
 
« The Worst Corporate Hacks In 2019 Could Have Been Prevented
Smart Cities Will Soon Be Under Attack »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Contrast Security

Contrast Security

Contrast Security is the leader in modernized application security, embedding code analysis and attack prevention directly into software.

SecureAuth

SecureAuth

SecureAuth delivers cutting edge identity and information security solutions for cloud, mobile, web, and VPN systems.

Logicalis

Logicalis

Logicalis are a leading provider of global IT solutions and managed services.

Digital Guardian

Digital Guardian

Digital Guardian is a next generation data protection platform designed to stop data theft.

SySS

SySS

SySS is a market leader in penetration testing in Germany and Europe.

Precise Biometrics

Precise Biometrics

Precise Biometrics develop and sell fingerprint software for convenient and secure authentication of people’s identity in mobile devices, smart cards and other products with fingerprint sensors.

Matrix42

Matrix42

Matrix42 software for digital workspace experience manages devices, applications, processes and services simple, secure and compliant.

SQN Banking Systems

SQN Banking Systems

SQN Banking Systems fraud detection software products are a critical step towards overcoming the growing problem of fraud across the various payment channels.

CYDES

CYDES

CYDES is the first event in Malaysia to showcase advanced solutions and technologies to address cyber defence and cyber security challenges for the public and private sectors.

Global Cybersecurity Association (GCA)

Global Cybersecurity Association (GCA)

GCA’s Symposium and conferences featuring global thought leaders and CISOs provide a global best practice perspective on cybersecurity.

OnSecurity

OnSecurity

OnSecurity replaces the overhead of traditional penetration testing firms with a simple online interface, making it easy to book tests as and when needed.

Abertay cyberQuarter

Abertay cyberQuarter

The Abertay cyberQuarter is a cybersecurity research and development centre housed within Abertay University.

CyberHub

CyberHub

CyberHub is an educational platform that offers professional courses and knowledge sharing through articles and videos to help students discover their potential in cybersecurity.

North Green Security

North Green Security

North Green Security is a UK-based cyber security training and consultancy company.

63Sats Cybertech

63Sats Cybertech

63SATS is the cybersecurity business unit of 63 Moons Technologies, a world leader in providing next-generation technology ventures, innovations, platforms, and solutions. 

SecureCyber

SecureCyber

Secure Cyber Defense offers industry-leading technology and managed detection and response solutions.