UK IoT security regulation encourages consumers to be more aware

The UK government is moving forward with its plans to create regulation for IoT devices. The move follows a broad global trend to try and lock down the burgeoning but insecure world of the IoT, says Mike Nelson, vice president of IoT Security at DigiCert.

For too long now, Internet of Things (IoT) devices have been thrown to market replete with vulnerabilities that threaten strange new types of catastrophe for users. From attacks that leverage the very functionality of an IoT device – such as a hackable car or a doll that can be turned into a remote surveillance device – to events like the Mirai attacks which threatened internet infrastructure on a large scale. It’s for those reasons that the UK government has stepped up.

The regulations aim to build on 2018’s Code of Practice – Secure by Designwhich offered a number of guidelines to IoT device manufacturers, as well as consumers, about how to securely build and use IoT devices. They include suggestions for securely storing credentials and other security data, minimising exposed attack surfaces, ensuring the integrity and continuous updating of the software on IoT devices as well as ensuring secure communication to and from the devices.

The code of practice added that it was being rolled out with the hope that people would comply, and if they didn’t, the government would start to make those guidelines mandatory. It seems that’s finally happened and regulators will now make at least three of those guidelines compulsory.

Three guidelines

Firstly, IoT passwords have to be unique and not resettable to a factory default, thereby allowing an attacker to merely look that password up.

Secondly, manufacturers must have a publicly advertised contact for vulnerability disclosures, allowing bugs to be reported and fixed in good time.

Thirdly, manufacturers must clearly state the minimum length of time that the device will receive security updates, so that consumers can plan for offboarding or make other security decisions on that basis.

The devices that do comply will be able to proudly wear a stamp which signifies a government endorsement of this particular product’s security. It might seem like a simple move, but it’s one that profoundly changes the relationship between IoT security and the consumer.

IoT security left to manufacturers

While IoT security has heretofore been left up to manufacturers and then perhaps enterprise security teams to fix after the fact, Secure by Design’s certification scheme finally puts those security decisions in the hands of the consumer. Now, they can make those decisions before they introduce weakly protected, vulnerable devices into an otherwise secure network.

Now that consumers can take security into account when purchasing IoT devices, it can become a competitive differentiator. Manufacturers until now have created insecure devices largely because it was cheaper for them to do so. There was no market demand to make secure devices and not much that would make it profitable for them to do so.

Mike Nelson

Labelling devices and introducing security as a competitive differentiator for consumers will force manufacturers to think about how they can lose less and make more by thinking about security from the design stage onwards. Once consumers care, manufacturers are going to start caring too.

Calculation made too late

It’s a simple calculation which has been made far too late. For too long, the buck has been effectively left to manufacturers to secure their IoT products, with neither a carrot nor a stick to drive them forward. It won’t solve all of the security problems but it’s a commendable answer to a problem that has dogged this field for a long time. Governments around the world are starting to make sticks, but the clever thing about Secure by Design and its certification scheme is that it comes with a carrot too.

The author is Mike Nelson, VP of IoT Security, DigiCert

About the author

Mike Nelson is the VP of IoT Security at DigiCert, a global provider of digital security. In this role, Mike oversees the company’s strategic market development for the various critical infrastructure industries securing highly sensitive networks and Internet of Things (IoT) devices, including healthcare, transportation, industrial operations, and smart grid and smart city implementations. Mike frequently consults with organisations, contributes to media reports, participates in industry standards bodies, and speaks at industry conferences about how technology can be used to improve cyber security for critical systems and the people who rely upon them.

Mike has spent his career in healthcare IT including time at the US Department of Health and Human Services, GE Healthcare, and Leavitt Partners – a boutique healthcare consulting firm. Mike’s passion for the industry stems from his personal experience as a type 1 diabetic and his use of connected technology in his treatment.

Comment on this article below or via Twitter: @IoTNow_OR @jcIoTnow

RECENT ARTICLES

Get a US$50 Amazon voucher for sharing your IoT brand knowledge

Posted on: March 28, 2024

We want to know what you know about the IoT space. Just 3 minutes could earn you a US$50 Amazon digital gift card!

Read more

Enhance EV charging performance with cellular connectivity

Posted on: March 28, 2024

Electric vehicles (EVs) are steadily growing their market share at the expense of internal combustion engine vehicles. The growth is fuelled by several factors. Perhaps most importantly, prices for EVs have started to drop as competition in the industry is intensifying. New players and models are emerging, prompting several established EV makers to lower their

Read more
FEATURED IoT STORIES

What is IoT? A Beginner’s Guide

Posted on: April 5, 2023

What is IoT? IoT, or the Internet of Things, refers to the connection of everyday objects, or “things,” to the internet, allowing them to collect, transmit, and share data. This interconnected network of devices transforms previously “dumb” objects, such as toasters or security cameras, into smart devices that can interact with each other and their

Read more

The IoT Adoption Boom – Everything You Need to Know

Posted on: September 28, 2022

In an age when we seem to go through technology boom after technology boom, it’s hard to imagine one sticking out. However, IoT adoption, or the Internet of Things adoption, is leading the charge to dominate the next decade’s discussion around business IT. Below, we’ll discuss the current boom, what’s driving it, where it’s going,

Read more

9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, home automation using iot is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more

5 challenges still facing the Internet of Things

Posted on: June 3, 2020

The Internet of Things (IoT) has quickly become a huge part of how people live, communicate and do business. All around the world, web-enabled devices are turning our world into a more switched-on place to live.

Read more