UK Government Update on Plans for Consumer IoT Security Regulation
Today, UK’s Department for Digital, Culture, Media and Sport (DCMS) published its response to the Secure by Design call for views in its quest to change the law to make ‘smart’ products – like televisions, cameras and household appliances that connect to the Internet – more secure for consumers to use.
The regulation will include 3 major requirements:
Customers must be informed at the point of sale the duration of time for which a smart device will receive security software updates.
A ban on manufacturers using universal default passwords, such as ‘password’ or ‘admin’, that are often present in a device’s factory settings and are easily guessable.
Manufacturers will be required to provide a public point of contact to make it simpler for anyone to report a vulnerability.
The IoT Security Foundation (IoTSF) welcomes the announcement as a significant step towards ‘making it safe to connect’ to the Internet of Things, having championed the need for fit-for-purpose security across all market segments since it was founded in 2015. The consumer sector is highlighted as being of immediate concern due to users security knowledge gaps and overwhelming evidence provided by researchers and media headlines highlighting industry poor practices.
Good security hygiene includes updating security software and having a vulnerability management process. Vulnerability disclosure practice provides an indicator as to the importance a manufacturer places on the digital security, and IoTSF’s 2018 research into global consumer product companies highlighted that less than 10% of vendors provided a channel open to report security issues. Whilst the situation has slightly improved, it remains far from an unacceptable level and IoTSF has continued to support efforts to drive standards and guide regulation as part of its mission to help secure the IoT.
About the regulation
The new cybersecurity regulation will apply to all in-scope connected-consumer-products made available to UK consumers. Manufacturers will be obligated to not place consumer connected products on the UK market unless they comply with specific security measures, outlined in legislation through security requirements or designated standards. The recently published EN 303 645 is one standard on the ‘designated list’ and it is anticipated that the list will grow over time to help firms streamline their efforts.
A staged approach to product scope
The long-term goal of the legislation is to cover all internet-connected products – both existing and emerging. However, that will not be achieved in one step and a joined-up approach has been adopted to align with changes in the wider regulatory landscape. This allows for products to be phased in and for further consultation before potentially bringing additional products into its scope such as connected cars, charge points and medical devices.
What’s in and what’s out?
Of specific note, smartphones have been confirmed as being included, yet regular computers (including desktops, laptops and tablet devices) that do not have a cellular connection are excluded for the time being.
The regulation will apply to all in scope consumer connected products including connected cameras, connected TVs, smart speakers, connected children’s toys, wearable connected fitness trackers, smart home assistants, and more.
The Government is working to introduce legislation as soon as parliamentary time and competing priorities allow.
Help is on hand
IoTSF has created a resource hub to help consumer IoT producers understand the regulatory requirements in more detail. The materials provided include a set of quick guides and training videos, breaking down each requirement for easy consumption. In addition to the dedicated materials, a more comprehensive set of security provisions are listed in the popular ‘IoT Security Compliance Framework’ and the accompanying ‘Security Design Best Practice Guides’ also available for free download from the IoTSF website.