Mandatory IoT Security In Britain

The UK government has unveiled a new  IoT law designed to prohibit the sale of smart consumer products that fail to meet three strict security requirements.
 
In its proposal, the UK government noted that it expects 75 billion IoT devices to find their way into homes globally by the end of 2025.  This of course comes at the same time as the UK is allowing controversial 5G network manufacturer, Huawei  to become part of its IT systems network. 
 
The US government  has insisted that Huawei poses an electronic espionage risk and has urged other governments to remove Huawei equipment from mobile network infrastructure, especially as 5G deployment picks up momentum in Europe.
 
The new UK law requires manufacturers to ensure they have cyber security controls to their connected devices.and is aimed at addressing two key elements:  
 
  • First, the consumer’s privacy and safety.
  • Second, the threat of zombified IoTs being used to launch DDoS attacks and damaging the country’s economy. 
The three pillars of the new legislation are the following:
 
1. IoT device passwords must be unique and not resettable to any universal factory setting.
2. Manufacturers of IoT products provide a public point of contact as part of a vulnerability disclosure policy.
3. Manufacturers of IoT products must explicitly state the minimum length of time for which the device will receive security updates. 
 
The Draft Law, was announced on 27th January and requires  IoT device manufacturers to provide a public point of contact so that anyone can report a flaw, to be “acted on in a timely manner."
 
“Our new law will hold firms manufacturing and selling internet-connected devices to account and stop hackers threatening people’s privacy and safety,” Matt Warman, UK Minister for Digital and Broadband, said in a statement. “It will mean robust security standards are built in from the design stage and not bolted on as an afterthought.”
 
The regulation was developed by the Department for Digital, Culture, Media and Sport after an extensive consultation period that kicked off in May 2019, when the UK announced it was accepting regulatory proposal for IoT security regulation. The UK government said that it aims to “deliver the legislation as soon as possible.”
 
Other IoT Regulation
The UK previously only had a voluntary “Secure by Design Code of Practice” for consumer IoT security, launched in 2018; however, this was a guidance and had no penalties for manufacturers who did not comply. However, several more solidified attempts at IoT security regulation do exist globally.
 
The closest of these to become law in the US is the California Senate Bill 327, which would require “reasonable security feature or features that are appropriate to the nature and function of the device.” SB-327, which was first proposed in 2018 and became law in January 2020. This was argued against by the security community, which said that it was a good first step but did not go far enough in regulating IoT security.
 
Over the past years, vulnerabilities in an array of devices have made headlines: including the smartwatch TicTocTrack, which was discovered to be plagued by security issues that could allow hackers to track and call children. In this respect, the UK Information Commissioner has recently introduced new standards for the protection of children's privacy
 
There have also been problems revealed in a popular smart deadbolt that could allow attackers to remotely unlock doors and break into homes; and flaws in more than 2 million IP security cameras, baby monitors and smart doorbells that could enable an attacker to hijack the devices and spy on their owners. Researchers continue to find basic security issues in IoT devices that are on the market. 
 
Threatpost:         Infosecuity Magazine:     TechNadu:       Gizmodo:       The Verge
 
You Might Also Read: 
 
Finland Has A Cyber Security Standard For IoT:
 
 
 
« The Worst Corporate Hacks In 2019 Could Have Been Prevented
Smart Cities Will Soon Be Under Attack »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Security Innovation

Security Innovation

Security Innovation is a leader in software security assessments and application security training to top organizations worldwide.

Qualitèsoft Technology

Qualitèsoft Technology

Qualitèsoft Technology is a leading Software Development and Quality Assurance organization. We specialize in Custom Development, Mobile Application, Software Testing and Quality Assurance.

Quality Professionals (Q-Pros)

Quality Professionals (Q-Pros)

QPros are a recognized leader in providing full-cycle software quality assurance and application testing services.

ShmooCon

ShmooCon

ShmooCon is an annual east coast hacker convention offering three days of demonstrations and discussions of critical infosec issues.

Austrian Trust Circle

Austrian Trust Circle

Austrian Trust Circle is an initiative of CERT.at and the Austrian Federal Chancellery and consists of Security Information Exchanges in the areas of the strategic information infrastructure.

AimBrain

AimBrain

AimBrain tools detect and prevent fraud, faster and more accurately than ever before.

Cyfirma

Cyfirma

CYFIRMA offers Cyber threat visibility and intelligence suite and services aimed at keeping your organization’s cybersecurity posture up-to-date.

International Accreditation Forum (IAF)

International Accreditation Forum (IAF)

The IAF is the world association of Conformity Assessment Accreditation Bodies. Its primary function is to develop a single worldwide programme of conformity assessment.

Cylera

Cylera

Cylera is a Healthcare IoT cybersecurity and intelligence company built in close partnership with healthcare providers.

Maven Security Consulting

Maven Security Consulting

Maven Security Consulting helps companies secure their information assets and digital infrastructure by providing a wide range of customized consulting and training services.

Beauceron Security

Beauceron Security

Beauceron's cloud-based platform gives employees a powerful personal cyber-risk coach empowering them to improve their cybersecurity practices and behaviours.

Cranfield University

Cranfield University

Cranfield Defence and Security are at the forefront of their fields, offering capabilities ranging from cyber security and digital warfare to robotics, forensic sciences and simulation and analytics.

TopSOC Information Security

TopSOC Information Security

TopSOC Information Security provide a wide range of security consultation, implementation and training services.

Dataships

Dataships

We help companies automate their privacy compliance while building healthy, transparent data relationships with their customers.

Torq

Torq

Torq's no-code automation modernizes how security & operations teams work with easy workflow building, limitless integrations and numerous pre-built templates.

Solvere One

Solvere One

Solvere One is a managed service provider (MSP) focused on corporate consulting and partnership.