UK makes stricter laws revolving around IoT cybersecurity

The United Kingdom (UK) has tightened laws revolving around Internet of Things (IoT) cyber security to help protect its citizens and businesses from the rising threats posed by cyber criminals and the increasingly targeting IoT devices.

Under the proposed measures by the government, all IoT and consumer smart devices will be mandatorily required to adhere to specific security requirements. The proposed measures from the Department for Culture, Media and Sports (DCMS) have been developed in conjunction with the UK’s National Cyber Security Centre (NCSC) and is the result of a consultation with information security experts, product manufacturers and retailers and others.

According to Matt Warman, Minister for digital and broadband at DCMS, the new law will hold firms manufacturing and selling internet-connected devices responsible and stop hackers threatening people’s privacy and safety.

Many connected devices are shipped with simple, default passwords that in most cases cannot be changed, while some IoT product manufacturers often lack a medium to connect to them in case of any vulnerabilities to be reported – especially if that device is produced on the other side of the world.

The new legislation requires that IoT devices must follow three particular rules to be allowed to sell products in the UK. They are –

• All consumer internet-connected device passwords must be unique and not resettable to any universal factory setting

• Manufacturers of consumer IoT devices must provide a public point of contact so anyone can report a vulnerability and it will be acted on in a timely manner

• Manufacturers of such IoT devices must explicitly state the minimum length of time that the device will receive security updates at the point of sale, either in store or online

The new law proposes that if IoT products fail to follow these rules, such devices could potentially be banned from sale in the UK.

In certain cases where IoT products suddenly stop receiving support from manufacturers, providing an exact length of time that devices will be supported will allow users to think about how secure the product will be in the long term.

According to said Nicola Hudson, Policy and Communications Director at the NCSC, development of such legislation to ensure that citizens are better protected is hugely welcomed.

On the same lines, ENISA, the European Union’s cybersecurity agency, is also working towards legislation in this area, while the US government is also looking to regulate IoT in an effort to protect against cyberattacks.