The UK government’s plans for a more secure Internet of things (IoT) are the first of their kind and are long overdue. Progressive new regulations restricting the use of default passwords and mandating security updates will bring much-needed foundational security to consumer devices. Simple steps in the design and operation of connected products can ensure trust and integrity of connected devices and services we use every day.
There have been increasing security concerns as connected devices have become more ubiquitous. As the number of such devices and services grows, the potential impact of security breaches has likewise increased, leading to calls for protection to keep consumers and businesses safe in the connected world. The companies creating IoT solutions often have to navigate a complex landscape of security standards, technologies, and processes, requiring deep expertise in a highly specialized field. As a result, the topic of building trusted devices is a salient discussion point for both device manufacturers and regulators.
Recently, in response to the growing need to close the gap in security practices between currently manufactured devices and basic levels of security for the connected device world, the UK Government’s Department for Digital, Culture, Media and Sport (DCMS) has announced plans for a new law to protect users of internet-connected household devices from the threat of cyber attacks.
This move follows the government’s voluntary Secure by Design Code of Practice for consumer IoT security. The code, which was launched in 2018, advocates more robust cybersecurity measures be built into smart products at the design stage and has already been backed by companies like Centrica Hive, HP Inc. and Panasonic. In February 2019, the European Telecommunications Standards Institute (ETSI) published the first globally applicable industry standard on consumer IoT security based on this Code of Practice.
With internationally recognized standards in place, government regulatory action can be a positive force to ensure these important standards are adopted, bringing consumer products up to modern standards for our connected world. The current UK government proposal is a big step toward ensuring a minimum baseline level of cybersecurity and a foundation for consumer trust across digitized products we increasingly use throughout our daily lives.
No room for error
The regulation will apply to all connected consumer IoT products, such as smart speakers, smart TVs, connected doorbells and smartphones. The security requirements will align with international standards and are familiar to device manufacturers, but can be a departure for those new to implementing digitized, connected products.
Twelve key policy positions, divided into three categories, make up the government’s intended regulatory approach:
- Scope of the intended legislation identifies only products that are intended to be used by consumers, or products likely to be used by consumers. This means that industrial IoT and critical infrastructure are excluded, in addition to other exempted product categories such as smart meters, laptops, and second-hand products.
- The role of economic actors is outlined in two primary ways: the manufacturer now has an obligation to provide transparency and information to the consumer regarding the security of its devices, and secondly, to uphold high-security standards if it wishes to sell in the UK, including implementing a means to manage vulnerabilities, ban universal default passwords, and provide transparency on the duration of support with security updates to the software on the device. Manufacturers will need to place far greater importance on the need for over-the-air (OTA) firmware updates to their devices post-purchase. This move signals the device lifecycle extending beyond the point of purchase and into the device's operational life, allowing security patches to be administered to the devices in response to emerging threats.
- Legislation enforcement will now be regulated by an authority to protect consumers with corrective measures, including investigatory powers and civil sanctions.
These policies are a significant change from the current ways of working for device manufacturers who regularly have default password settings and may not have a market incentive to bear the costs of ongoing security updates. GDPR has set the tone for how the European Union and UK authorities wish to protect users from unknowingly assuming risks associated with the growing influence of technology in people’s lives.
Tips for security success
While any legislative change can at first appear daunting, the scope of requirements is well within standard practice and device makers can rely on an ecosystem of security experts, providers of off-the-shelf device management services, silicon vendors and others to quickly upgrade their products to meet these standards. Increased transparency through clear communication and higher standards can be achieved with secure design principles:
- Design with renewable security in mind – All devices should be managed, with the ability to update firmware and applications to patch security vulnerabilities.
- Securely store credentials and security-sensitive data – Credentials should be stored securely within services and on devices, not hard-coded credentials in device software.
- Find the right partner- Keeping ahead of emerging technology and threats requires long-term commitment and resources. Seek out partners who offer SOC compliance and whose sole focus is delivering a secure device lifecycle that reduces your cost base and risk exposure.
- Communicate securely – Security-sensitive data, including any remote management and control, should be encrypted in transit, appropriate to the properties of the technology. Usage and all keys should be managed securely.
- Minimize exposed attack surfaces – All devices and services should operate on the ‘principle of least privilege’. Unused ports should be closed, hardware should not unnecessarily expose access, services should not be available if they are not used, and code should be minimized to the functionality necessary for the service to operate. Software should run with appropriate privileges, taking into account both security and functionality.
- Ensure that personal data is protected – Where devices and/or services process personal data, they should do so in accordance with applicable data protection law, such as GDPR. Device manufacturers and IoT service providers should provide consumers with clear and transparent information about how their data is being used, by whom, and for what purposes, for each device and service.
- Make it easy for consumers to delete personal data and manage devices – Devices and services should be configured to allow easy removal of personal data when there is a transfer of ownership. Clear instruction should be provided by manufacturers on how to do so.
The new legislation aims to hold companies manufacturing and selling consumer IoT devices more accountable and make it harder for hackers to threaten people’s privacy and safety. There are hurdles to overcome, which is why manufacturers should start preparing now and enlist partners who can help reach compliance (and market) sooner, avoiding time and resources being sunk into proprietary measures that quickly become obsolete.
Gaining trust from consumers is also in device makers’ best interest, with IDC stating that perceived integrity strongly impacts consumer trust in brands. Consumers will know how long their products are supported with vital security updates before purchasing, and devices will be harder to break into with up-to-date software and the banning of easily guessable default passwords. This approach will build trust with consumers, better protect all parties from the ever-increasing risk of cyber attacks, and mark a new era for IoT security.
Hima Mukkamala, CEO, Pelion