A new piece of legislation regarding consumer IoT security was proposed this week by Digital Minister, Margot James, aimed at securing all connected devices from cyber attacks 'by design'.
The consultation, which is scheduled to run until 5 June 2019, is open to device manufacturers, IoT service providers, mobile application developers, retailers, academics, technical experts and anyone with an interest in consumer IoT security.
According to the UK government, the regulatory law proposal is to ensure that efficient security is built into products from the design stage.
In October 2018 the government published an IoT security Code of Practice, which recognised that a significant number of connected products still lack basic securities, leading to the law proposal.
The consultation includes three options that have been developed in partnership with industry experts and stakeholders. These include a mandatory new labelling scheme where all devices sold in the UK, such as smart TVs and appliances, will be marked as 'secure'.
There will also be a set of common guidelines and a code of practice that includes a proposal for unique passwords for all IoT products which are made non-resettable to any universal factory setting.
It also requests that a public point of contact is added for the product manufacturer and details of the minimum length of time that products will receive regular security updates.
Many organisations across the UK have voiced their opinions towards the proposed legislation, with a significant number of people backing the law in.
“Having an industry standard requirement, that all connected products must adhere to, would make all items available to purchase much safer when used in homes across the country. The labelling system that is proposed can only enhance this, allowing consumers to easily check if smart devices are compliant,” David Emm, principal security researcher at Kaspersky Lab UK said.
“This is a very positive step in making sure consumers are safeguarded, and much better equipped, than they have ever been before. For too long there has been a neglectful attitude towards customer protection, and with billions upon billions of connected devices operating everyday around the world, it’s reassuring to see that action is finally being taken,” he added.
What it means
As it stands the proposals for implementation include three options:
Option A: Mandate retailers to only sell consumer IoT products that have the IoT security label, with manufacturers to self assess and implement a security label on their customer IoT products.
Option B: Mandate retailers to only sell consumer IoT products that adhere to the top three guidelines, with manufacturers to self assess that their consumer IoT products adhere to the top three guidelines of the Code of Practice for IoT Security.
Option C: Mandate that retailers only sell consumer IoT products with a label that evidences compliance with all 13 guidelines of the Code of Practice, with manufacturers to self assess and to ensure that the label is on the appropriate product packaging.
Currently, option A has garnered the most support of the three proposals and this is due to a belief within the Department for Digital, Culture, Media & Sport (DCMS) that product labels are the best option for restoring transparency in the sector.
“Organisations play a fundamental role in protecting the data and privacy of their customers and they must work on the basis that cyber criminals are willing to exploit every avenue possible to try and successfully breach environments,” Paul McVatt, senior threat and intelligence manager at Fujitsu EMEIA said.
“By adopting a privacy and ‘security by design’ approach, IoT manufacturers can ensure they adequately protect their customers, providing them with a level of assurance and confidence when purchasing their products,” he added.
According the consultation, the DCMS has already put forward a labelling design that was developed in partnership with a working group that includes the PETRAS academic consortium.
It is proposed that all IoT products should include a ‘positive’ and ‘negative’ labelling, but the DCMS is open to any feedback on the design before the label launches as a voluntary scheme later in the year.
The UK government is to make a final decision of what proposals will be put forward into the legislation, judging from public responses. This will either include one of the above options, or a combination of all three.
This will be updated as the legislation makes its way through Parliament.