UK Goverment introduces IoT regulation.
The UK’s Product Security and Telecommunications Infrastructure comes into effect this week, adding a level of regulation to Internet of Things (IoT) devices.
From Monday 29th April, businesses in the supply chains of these products need to be compliant with the legislation. In particular, manufacturers will need to include three security requirements:
Passwords - Passwords must be unique per product; or capable of being defined by the user of the product. They must not be based on incremental counters; based on or derived from publicly available information; based on or derived from unique product identifiers, such as a serial number unless this is done using an encryption method, or keyed hashing algorithm, that is accepted as part of good industry practice; or otherwise easily guessable.
Information on how to report security issues - The manufacturer must provide information on how to report security issues about their product to the user. The manufacturer must also provide information on the timescales within which an acknowledgment of the receipt of the report and status updates until the resolution of the reported security issues can be expected by person making the report.
Information on minimum security update periods - Information on minimum security update periods must be published and made available to the consumer in a clear accessible and transparent manner. This must be the minimum length of time security updates will be provided along with an end date.
Strong and Secure Passwords
Richard Newton, Managing Consultant at Pentest People, calls the enforcement of secure passwords on smart devices “a positive step towards enhancing cybersecurity” but he suspects that as a lot of technology is sourced from countries where this won't be enforced, we will still find technology in the UK that will have weak passwords.
Chris Doman, CTO and co-founder of Cado Security, said: “The fact we are having to mandate the use of strong passwords, however, is worrying. This is basic best practice and with attacks happening daily, as a country, and an industry, we should be implementing these processes as standard.
“These new laws will need to be regularly updated and adapted to keep pace with the speed of innovation and the threats we are being exposed to."
Contact Details
Javvad Malik, lead security awareness advocate at KnowBe4, called the regulation refreshing, as it is a move towards mandating stronger built-in security measures, and a fundamental move that shifts some of the onus of security from consumers, who might not be cyber-savvy, back onto the manufacturers.
“The inclusion of requirements for manufacturers to provide clear contact details for reporting bugs and being transparent about the length of time devices will receive security updates is vital and will be valuable to consumers' buying decisions,” Malik said.
“It's a move that recognises the fact that cybersecurity is not just a technical issue, but a societal one. As we continue to surround ourselves with increasingly smart devices, making sure they are secure by design is not just good sense; it fosters a culture of cybersecurity that can protect individuals and society's privacy and well-being.”
Enforcement
The Office for Product Safety and Standards (OPSS) will be responsible for enforcing the regulations. The OPSS is part of the Department for Business and Trade, and already enforce the UK’s existing product safety regulations.
OPSS will utilise existing processes and relationships to enforce the UK product security regime in a robust and risk-based manner and take appropriate and proportionate action against businesses that fail to comply with their obligations.
However Jamie Akhtar, CEO at CyberSmart believes the legislation could - and should - go further, as manufacturers bear a responsibility to consumers to ensure that their products are as secure as possible.
“This legislation is a little ‘light touch’ in that regard,” he said. “Just three of the top 13 requirements from the ETSI EN 303 645 standard for consumer IoT security (which the law took inspiration from) are included in the final legislation, leaving it a little weak in some aspects. In short, it’s a great start but we look forward to it being built upon by future legislation.”