Today, UK’s Department for Digital,
Culture, Media and Sport (DCMS) published its response to the Secure by Design
call for views in its quest to change the law to make ‘smart’ products – like
televisions, cameras and household appliances that connect to the Internet –
more secure for consumers to use.
The regulation
will include 3 major requirements:
Customers must be informed at the
point of sale the duration of time for which a smart device will receive
security software updates.
A ban on manufacturers using universal
default passwords, such as ‘password’ or ‘admin’, that are often present in a
device’s factory settings and are easily guessable.
Manufacturers will be required to
provide a public point of contact to make it simpler for anyone to report a
vulnerability.
The IoT Security Foundation (IoTSF)
welcomes the announcement as a significant step towards ‘making it safe to
connect’ to the Internet of Things, having championed the need for
fit-for-purpose security across all market segments since it was founded in
2015. The consumer sector is highlighted as being of immediate concern due to
users security knowledge gaps and overwhelming evidence provided by researchers
and media headlines highlighting industry poor practices.
Good security hygiene includes
updating security software and having a vulnerability management process.
Vulnerability disclosure practice provides an indicator as to the importance a
manufacturer places on the digital security, and IoTSF’s 2018 research into
global consumer product companies highlighted that less than 10% of vendors
provided a channel open to report security issues. Whilst the situation has
slightly improved, it remains far from an unacceptable level and IoTSF has
continued to support efforts to drive standards and guide regulation as part of
its mission to help secure the IoT.
About the
regulation
The new cybersecurity regulation will apply to all in-scope connected-consumer-products made available to UK consumers. Manufacturers will be obligated to not place consumer connected products on the UK market unless they comply with specific security measures, outlined in legislation through security requirements or designated standards. The recently published EN 303 645 is one standard on the ‘designated list’ and it is anticipated that the list will grow over time to help firms streamline their efforts.
A staged approach
to product scope
The long-term goal of the legislation
is to cover all internet-connected products – both existing and emerging.
However, that will not be achieved in one step and a joined-up approach has
been adopted to align with changes in the wider regulatory landscape. This
allows for products to be phased in and for further consultation before
potentially bringing additional products into its scope such as connected cars,
charge points and medical devices.
What’s in and
what’s out?
Of specific note, smartphones have been
confirmed as being included, yet regular computers (including desktops, laptops
and tablet devices) that do not have a cellular connection are excluded for the
time being.
The regulation will apply to all in
scope consumer connected products including connected cameras, connected TVs,
smart speakers, connected children’s toys, wearable connected fitness trackers,
smart home assistants, and more.
The Government is working to introduce
legislation as soon as parliamentary time and competing priorities allow.
Help is on hand
IoTSF has created a resource hub to
help consumer IoT producers understand the regulatory requirements in more
detail. The materials provided include a set of quick guides and training
videos, breaking down each requirement for easy consumption. In addition to the
dedicated materials, a more comprehensive set of security provisions are listed
in the popular ‘IoT Security Compliance Framework’ and the accompanying
‘Security Design Best Practice Guides’ also available for free download from
the IoTSF website.
John
Moor, Managing Director of the IoT Security Foundation, said:
“Since
it was founded, IoTSF has championed the need for fit-for-purpose security to
be applied to all connected devices as a fundamental market requirement and
foundation for the digital economy. The Internet of Things is constantly
evolving, and security practice must continue to keep pace. As such, the
importance of vulnerability management and updating security software cannot be
understated. This announcement from the UK is good news for the IoT market as a
whole as it acts as a baseline, makes consumers safer, and supply chains more
secure. Citizens have a right to expect protections in law and not left
vulnerable because of insecure products. In the words of one of our members,
remember, ‘if it ain’t secure, it ain’t smart’. “
Ref:
https://www.iotsecurityfoundation.org/