UK IoT security regulation encourages consumers to be more aware

The UK government is moving forward with its plans to create regulation for IoT devices. The move follows a broad global trend to try and lock down the burgeoning but insecure world of the IoT, says Mike Nelson, vice president of IoT Security at DigiCert.

For too long now, Internet of Things (IoT) devices have been thrown to market replete with vulnerabilities that threaten strange new types of catastrophe for users. From attacks that leverage the very functionality of an IoT device – such as a hackable car or a doll that can be turned into a remote surveillance device – to events like the Mirai attacks which threatened internet infrastructure on a large scale. It’s for those reasons that the UK government has stepped up.

The regulations aim to build on 2018’s Code of Practice – Secure by Designwhich offered a number of guidelines to IoT device manufacturers, as well as consumers, about how to securely build and use IoT devices. They include suggestions for securely storing credentials and other security data, minimising exposed attack surfaces, ensuring the integrity and continuous updating of the software on IoT devices as well as ensuring secure communication to and from the devices.

The code of practice added that it was being rolled out with the hope that people would comply, and if they didn’t, the government would start to make those guidelines mandatory. It seems that’s finally happened and regulators will now make at least three of those guidelines compulsory.

Three guidelines

Firstly, IoT passwords have to be unique and not resettable to a factory default, thereby allowing an attacker to merely look that password up.

Secondly, manufacturers must have a publicly advertised contact for vulnerability disclosures, allowing bugs to be reported and fixed in good time.

Thirdly, manufacturers must clearly state the minimum length of time that the device will receive security updates, so that consumers can plan for offboarding or make other security decisions on that basis.

The devices that do comply will be able to proudly wear a stamp which signifies a government endorsement of this particular product’s security. It might seem like a simple move, but it’s one that profoundly changes the relationship between IoT security and the consumer.

IoT security left to manufacturers

While IoT security has heretofore been left up to manufacturers and then perhaps enterprise security teams to fix after the fact, Secure by Design’s certification scheme finally puts those security decisions in the hands of the consumer. Now, they can make those decisions before they introduce weakly protected, vulnerable devices into an otherwise secure network.

Now that consumers can take security into account when purchasing IoT devices, it can become a competitive differentiator. Manufacturers until now have created insecure devices largely because it was cheaper for them to do so. There was no market demand to make secure devices and not much that would make it profitable for them to do so.

Mike Nelson

Labelling devices and introducing security as a competitive differentiator for consumers will force manufacturers to think about how they can lose less and make more by thinking about security from the design stage onwards. Once consumers care, manufacturers are going to start caring too.

Calculation made too late

It’s a simple calculation which has been made far too late. For too long, the buck has been effectively left to manufacturers to secure their IoT products, with neither a carrot nor a stick to drive them forward. It won’t solve all of the security problems but it’s a commendable answer to a problem that has dogged this field for a long time. Governments around the world are starting to make sticks, but the clever thing about Secure by Design and its certification scheme is that it comes with a carrot too.

The author is Mike Nelson, VP of IoT Security, DigiCert

About the author

Mike Nelson is the VP of IoT Security at DigiCert, a global provider of digital security. In this role, Mike oversees the company’s strategic market development for the various critical infrastructure industries securing highly sensitive networks and Internet of Things (IoT) devices, including healthcare, transportation, industrial operations, and smart grid and smart city implementations. Mike frequently consults with organisations, contributes to media reports, participates in industry standards bodies, and speaks at industry conferences about how technology can be used to improve cyber security for critical systems and the people who rely upon them.

Mike has spent his career in healthcare IT including time at the US Department of Health and Human Services, GE Healthcare, and Leavitt Partners – a boutique healthcare consulting firm. Mike’s passion for the industry stems from his personal experience as a type 1 diabetic and his use of connected technology in his treatment.

Comment on this article below or via Twitter: @IoTNow_OR @jcIoTnow


9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, iot home automation is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more

Infineon and Rainforest Connection create real-time monitoring system to detect wildfires

Posted on: October 22, 2021

Munich and San Jose, California, 21 October, 2021 – Infineon Technologies AG a provider of semiconductors for mobility, energy efficiency and the IoT, announced a collaboration with Rainforest Connection (RFCx), a non-profit organisation that uses acoustic technology, Big Data and Artificial Intelligence / Machine Learning to save the rainforests and monitor biodiversity.

Read more

Infineon simplifies secure IoT device-to-cloud authentication with CIRRENT Cloud ID service

Posted on: October 21, 2021

Munich, Germany. 21 October 2021 – Infineon Technologies AG launched CIRRENT Cloud ID, a service that automates cloud certificate provisioning and IoT device-to-cloud authentication. The easy-to-use service extends the chain of trust and makes tasks easier and more secure from chip-to-cloud, while lowering companies’ total cost of ownership. Cloud ID is ideal for cloud-connected product companies

Read more