UK IoT security regulation encourages consumers to be more aware

The UK government is moving forward with its plans to create regulation for IoT devices. The move follows a broad global trend to try and lock down the burgeoning but insecure world of the IoT, says Mike Nelson, vice president of IoT Security at DigiCert.

For too long now, Internet of Things (IoT) devices have been thrown to market replete with vulnerabilities that threaten strange new types of catastrophe for users. From attacks that leverage the very functionality of an IoT device – such as a hackable car or a doll that can be turned into a remote surveillance device – to events like the Mirai attacks which threatened internet infrastructure on a large scale. It’s for those reasons that the UK government has stepped up.

The regulations aim to build on 2018’s Code of Practice – Secure by Designwhich offered a number of guidelines to IoT device manufacturers, as well as consumers, about how to securely build and use IoT devices. They include suggestions for securely storing credentials and other security data, minimising exposed attack surfaces, ensuring the integrity and continuous updating of the software on IoT devices as well as ensuring secure communication to and from the devices.

The code of practice added that it was being rolled out with the hope that people would comply, and if they didn’t, the government would start to make those guidelines mandatory. It seems that’s finally happened and regulators will now make at least three of those guidelines compulsory.

Three guidelines

Firstly, IoT passwords have to be unique and not resettable to a factory default, thereby allowing an attacker to merely look that password up.

Secondly, manufacturers must have a publicly advertised contact for vulnerability disclosures, allowing bugs to be reported and fixed in good time.

Thirdly, manufacturers must clearly state the minimum length of time that the device will receive security updates, so that consumers can plan for offboarding or make other security decisions on that basis.

The devices that do comply will be able to proudly wear a stamp which signifies a government endorsement of this particular product’s security. It might seem like a simple move, but it’s one that profoundly changes the relationship between IoT security and the consumer.

IoT security left to manufacturers

While IoT security has heretofore been left up to manufacturers and then perhaps enterprise security teams to fix after the fact, Secure by Design’s certification scheme finally puts those security decisions in the hands of the consumer. Now, they can make those decisions before they introduce weakly protected, vulnerable devices into an otherwise secure network.

Now that consumers can take security into account when purchasing IoT devices, it can become a competitive differentiator. Manufacturers until now have created insecure devices largely because it was cheaper for them to do so. There was no market demand to make secure devices and not much that would make it profitable for them to do so.

Mike Nelson

Labelling devices and introducing security as a competitive differentiator for consumers will force manufacturers to think about how they can lose less and make more by thinking about security from the design stage onwards. Once consumers care, manufacturers are going to start caring too.

Calculation made too late

It’s a simple calculation which has been made far too late. For too long, the buck has been effectively left to manufacturers to secure their IoT products, with neither a carrot nor a stick to drive them forward. It won’t solve all of the security problems but it’s a commendable answer to a problem that has dogged this field for a long time. Governments around the world are starting to make sticks, but the clever thing about Secure by Design and its certification scheme is that it comes with a carrot too.

The author is Mike Nelson, VP of IoT Security, DigiCert

About the author

Mike Nelson is the VP of IoT Security at DigiCert, a global provider of digital security. In this role, Mike oversees the company’s strategic market development for the various critical infrastructure industries securing highly sensitive networks and Internet of Things (IoT) devices, including healthcare, transportation, industrial operations, and smart grid and smart city implementations. Mike frequently consults with organisations, contributes to media reports, participates in industry standards bodies, and speaks at industry conferences about how technology can be used to improve cyber security for critical systems and the people who rely upon them.

Mike has spent his career in healthcare IT including time at the US Department of Health and Human Services, GE Healthcare, and Leavitt Partners – a boutique healthcare consulting firm. Mike’s passion for the industry stems from his personal experience as a type 1 diabetic and his use of connected technology in his treatment.

Comment on this article below or via Twitter: @IoTNow_OR @jcIoTnow

RECENT ARTICLES

eSIM connections to exceed 4.5bn in 2027 driven by expanding consumer market, says Kaleido

Posted on: May 16, 2022

London, UK. 11 May 2022 – Kaleido Intelligence, a connectivity market intelligence and consulting firm, has published its latest eSIM Market Outlook report. The study, which examines GSMA-compliant eSIMs across consumer and IoT markets, found that active xUICC (eSIM/iSIM) connections will grow over 1400% between 2022 and 2027, with growth heavily driven by smartphone users.

Read more

Our connected future: Smart building market & predictions

Posted on: May 13, 2022

Increasing government initiatives, growing energy concerns, consumer demands, and various environmental, social and governance (ESG) factors are driving the growth of the smart building market, which is expected to register a compound annual growth rate (CAGR) of over 23% between the period of 2020 – 2025.

Read more
FEATURED IoT STORIES

9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, home automation using iot is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more

5 challenges still facing the Internet of Things

Posted on: June 3, 2020

The Internet of Things (IoT) has quickly become a huge part of how people live, communicate and do business. All around the world, web-enabled devices are turning our world into a more switched-on place to live.

Read more

What is IoT?

Posted on: July 7, 2019

What is IoT Data as a new oil IoT connectivity What is IoT video So what’s IoT? The phrase ‘Internet of Things’ (IoT) is officially everywhere. It constantly shows up in my Google news feed, the weekend tech supplements are waxing lyrical about it and the volume of marketing emails I receive advertising ‘smart, connected

Read more