IFSEC Insider is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.
James Moore is the Managing Editor of IFSEC Insider, the leading online publication for security and fire news in the industry.James writes, commissions, edits and produces content for IFSEC Insider, including articles, breaking news stories and exclusive industry reports. He liaises and speaks with leading industry figures, vendors and associations to ensure security and fire professionals remain abreast of all the latest developments in the sector.
As the uptake of consumer connected smart devices continues to rise, the UK Government has announced its “groundbreaking plans” to ensure they are more cyber secure.
The move comes following concerns that too many insecure consumer connected products, such as smart cameras and doorbells, remain on the market. New figures show that 49% of UK residents have purchased at least one smart device since the coronavirus pandemic, while 57% reported an increase in their household use of internet connected devices. However, as industry professionals have been pointing out for years, many remain vulnerable to cyber attacks – often due to a lack of standards, best practice regulation and poor password security.
To counter this threat, the UK Government is planning a new law to make sure “virtually all smart devices”, including smartphones, meet minimum requirements. These include:
Customers to be informed at the point of sale the duration of time for which a smart device will receive security software updates
A ban on manufacturers using default passwords – e.g. ‘password’ or ‘admin’ that are often preset in a device’s settings
Manufacturers will be required to provide a public point of contact make it simpler for anyone to report a vulnerability
Much of this will be the responsibility of the manufacturer – or sometimes retailer – it would appear, though the Government continues to urge consumers to change default passwords and regularly update apps and software, which often contain vital security patches.
The changes, which are set to become law by the end of the year, are a result of the ETSI code of practice agreements between the UK and EU, and have been under consideration for the past few years with expert contributions from the likes of the IoT Security Foundation. Implementation was initially planned for the end of 2020, but was delayed due to the impact of the coronavirus pandemic.
The three actions laid out are also designed to directly address issues found after research from the likes of University College London. According to one paper, out of 270 smart products assessed, none of them displayed information about the length of time the device would be supported with security updates for. In addition, only 20% of global manufacturers have a mechanism in place to allow security researchers to report vulnerabilities.
The requirement for improved IoT security standards has not been lost at national security level, either. The Director of GCHQ and former Deputy Director General of MI5, Jeremy Fleming, highlighted that Britain faces a “moment of reckoning” if cyber security capabilities are not enhanced. He warned how the “global digital environment is under threat”, with cyber security set to take a whole nation approach. Numerous high profile attacks have been carried out in recent years, including the WannaCry cyber attack in 2017 which cost the NHS a reported £92million.
The regulation is set to apply across the UK to all “consumer connected products” – though devices such as desktop computers and laptops will be except due to differences in how they are secured and constructed.
Smartphones are to be included in the planned Secure by Design legislation, after research from Which? found a “third of people kept their last phone for four years” – some brands only offer security updates for just over two, at current.
An enforcement body is also expected to be introduced, which will be equipped with the power to investigate allegations of non-compliance.
On the new proposals, Sarb Sembhi, CTO & CISO of Virtually Informed, and also Co-chair of the IoT Security Foundation Smart Built Environment Group, commented: “I think people forget some of the basic trends that have taken place leading to governments around the world to consider any changes in legislation. There are at least four changes that have led to the cyber security of today and going forward:
“Traditional computing device vendors (like PCs, laptops etc.) have increased security measures steadily during the same period that criminal attackers have been improving their attack tools, techniques and approaches. At that time it was a tit for tat game.
“However, IoT devices are coming onto the market without learning any of the lessons from the past, which means attackers don’t need to use anything advanced tools, techniques and approaches. The game changed to at cat and mouse game.
“As the number of insecure IoT devices is exceeding the number of traditionally secure computing devices, criminal attackers are at a greater advantage.
“If every home, small business, building, enterprise office ends up with more IoT devices than secure personal computing devices the future is going to be in favour of the criminals to exploit. At this point it’s no longer a game, if anything it is game over!
“The challenge for government’s isn’t about getting vendor to raise the bar by implementing just 3 of the 13 requirements of the ETSI standard, but to get them to implement all 13 of them quickly. Because, these three proposed in the current legislation, as important as they are, still aren’t enough to reduce the bad place we could easily end up in.”
Digital Infrastructure Minister, Matt Warman, said: “Our phones and smart devices can be a gold mine for hackers looking to steal data, yet a great number still run older software with holes in their security systems.
“We are changing the law to ensure shoppers know how long products are supported with vital security updates before they buy and are making devices harder to break into by banning easily guessable default passwords.
“The reforms, backed by tech associations around the world, will torpedo the efforts of online criminals and boost our mission to build back safer from the pandemic.”
Three new voluntary assurance schemes have also been launched to give shoppers confidence a smart product has been made cyber secure.
The Stockport-based Internet of Toys Assurance Scheme will allow parents to know from the outset whether a smart toy has been tested and meets minimum security requirements
The Smart TV Cybersecurity Certification programme will provide third-party testing and give confidence to buyers of smart TV products by allowing approved devices to display a certification logo
The IASME IoT Security Assured initiative will be open to start-ups and smaller companies to carry out verified cyber security self-assessment of their products
Connect with the security industry online 1-30 June
Connect 2021 is your first major opportunity to come together with the security industry online from 1-30 June!
The month-long online event will give attendees the opportunity to make up for lost time by browsing security solutions, connecting with suppliers and accessing thought-leadership content - all from the comfort of your own home or workplace!
New “groundbreaking plans” unveiled by Government to improve cyber security of smart IoT devicesAs the uptake of smart devices continues to increase, the UK Government has announced its "groundbreaking plans" to ensure they are more cyber secure.
James Moore
IFSEC Insider | Security and Fire News and Resources
Related Topics
How advanced entrance control systems are securing a more sustainable future
The next evolution of smart buildings – “Security will have a central role to play”
How smart building technology contributes to the achievement of sustainability goals