Secure by Design: UK Enforces IoT Device Cybersecurity Rules – BankInfoSecurity.com

Endpoint Security , Geo Focus: The United Kingdom , Geo-Specific
Say goodbye to buying internet of things devices in Britain with a default or hard-coded password set to “12345” now that the country will enforce a ban on manufacturers from shipping internet-connected and network-connected devices that don’t comply with minimum cybersecurity standards.
See Also: Strengthening Your Security Program With Open API
A grace period expired Monday for companies to comply with demands of the U.K. Product Security and Telecommunications Infrastructure Act, allowing the government to police the security standards of a range of IoT goods, including smartphones, game consoles, wearable fitness trackers and children’s toys, as well as internet-connected fridges, speakers, baby monitors and more.
The connected-device law kicks in following repeat attacks against devices with known or easily guessable passwords, which have led to repeat distributed denial-of-service attacks that have affected major institutions, including the BBC as well as major U.K. banks such as Lloyds and the Royal Bank of Scotland.
Officials said the law is designed not just for consumer protection but also to improve national cybersecurity resilience, including against malware that targets IoT devices, such as Mirai and its spinoffs, all of which can exploit default passwords in devices.
Western officials have also warned that Chinese and Russian nation-state hacking groups exploit known vulnerabilities in consumer-grade network devices. U.S. authorities earlier this year disrupted a Chinese botnet used by a group tracked as Volt Typhoon, warning that Beijing threat actors used infected small office and home office routers to cloak their hacking activities (see: Here’s How the FBI Stopped a Major Chinese Hacking Campaign).
“It’s encouraging to see growing emphasis on implementing best practices in securing IoT devices before they leave the factory,” said Kevin Curran, a professor of cybersecurity at Ulster University in Northern Ireland. “Despite their perceived simplicity, these devices hold unexpected power to disrupt when left unpatched or poorly managed.”
The law requires:
Britain is the first country to mandate minimum cybersecurity standards for IoT devices, the government said in a statement. “The security requirements are actions that relevant businesses in the supply chain must take, or requirements that a product must meet, to address a security problem or eliminate a potential security vulnerability,” it said.
The rules apply to all “manufacturers, importers and distributors of relevant connectable products,” and also include record-keeping requirements and a duty to investigate potential compliance violations by supply chain partners, it said.
The rules will be enforced by the Office for Product Safety and Standards, a part of the Department for Business and Trade that already enforces other product safety regulations.
In Britain, 99% of adults own at least one “smart” device, and households have an average of nine different internet- or network-connected devices.
“The use and ownership of consumer products that can connect to the internet or a network is growing rapidly,” said Graham Russell, chief executive of OPSS. “U.K. consumers should be able to trust that these products are designed and built with security in mind, protecting them from the increasing cyber threats to connectable devices.”
Multiple security experts have celebrated the law, not least because it requires manufacturers to establish channels for receiving bug reports and carries the threat of legal action if they fail to do so.
“It’s got teeth, which I love,” Ken Munro, a connected-device security expert with Pen Test Partners, told the BBC. Via social media, he said the law is “a big step in the right direction for IoT” but added, “My worry is that enforcement action won’t be taken” (see: Don’t Hug These Internet-Connected Stuffed Toys).
The government previously attempted to bolster device security through a voluntary IoT cybersecurity code of practice introduced in 2018. But a parliamentary probe found that by 2020, only 27% of manufacturers had implemented one of the key tenets: giving security researchers a direct channel for reporting any vulnerabilities they found in the manufacturer’s devices.
Following a 2020 consultation on device security, Parliament passed the PSTI Act in 2022, and some details – such as the minimum cybersecurity requirements to be enforced – were hammered out in 2023 (see: Consumer IoT Security Labels: Transparency Push Intensifies).
Experts said they hope more consumers will shop for devices in part based on the support period the manufacturers offer.
“This landmark act will help consumers to make informed decisions about the security of products they buy,” said Sarah Lyons, the U.K. National Cyber Security Center’s deputy director for economy and society.
The law includes a number of device exceptions, often because they’re already subject to existing regulations. These include medical devices, smart meters and charge points for electric vehicles, as well as desktop, laptop computers and tablet computers that don’t have the ability to connect to cellular networks – unless they’re designed exclusively for the use of children under 14 years of age.
The government also said it plans to introduce legislation to exempt some automotive vehicles “from the product security regulatory regime, as they will be covered by alternative legislation.”
Executive Editor, DataBreachToday & Europe, ISMG
Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Covering topics in risk management, compliance, fraud, and information security.
By submitting this form you agree to our Privacy & GDPR Statement
whitepaper

whitepaper
whitepaper
whitepaper
Governance & Risk Management
Endpoint Security
Fraud Management & Cybercrime
Application Security & Online Fraud
Endpoint Security
Continue »
90 minutes · Premium OnDemand 
Overview
From heightened risks to increased regulations, senior leaders at all levels are pressured to improve their organizations’ risk management capabilities. But no one is showing them how – until now.
Learn the fundamentals of developing a risk management program from the man who wrote the book on the topic: Ron Ross, computer scientist for the National Institute of Standards and Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37 – the bible of risk assessment and management – will share his unique insights on how to:
Sr. Computer Scientist & Information Security Researcher, National Institute of Standards and Technology (NIST)
Was added to your briefcase
Secure by Design: UK Enforces IoT Device Cybersecurity Rules
Secure by Design: UK Enforces IoT Device Cybersecurity Rules
Just to prove you are a human, please solve the equation:

Sign in now
Need help registering?
Contact support
Complete your profile and stay up to date
Contact Support
Create an ISMG account now
Create an ISMG account now
Need help registering?
Contact support
Sign in now
Need help registering?
Contact support
Sign in now
Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.

source

About The Author

admin

See author's posts