Resource Center

New Legislation Set to Regulate IoT Security

Feb 3, 2020 9:24:03 AM

IoT devices are forecasted to reach an estimated 75 billion worldwide by 2025. This means that IoT is becoming a daily part of people’s lives, from using a voice-assistant for a command to using cloud-based security measures. With the increased use also comes a rising concern of just how vulnerable we are to security breaches. The UK government has recognized this issue, and taken steps forward to amend it.

New Legislation Efforts

Plans originally drawn up in 2018 by the Department for Digital, Culture, Media and Sport (DCMS) in the UK are now a proposed law aimed at securing IoT devices. New legislation announced on Monday is designed to increase the security and privacy of millions of users of IoT devices.

UK Minister for Digital and Broadband, Matt Warman, announced that the new law would require manufacturers to follow a strict set of cyber security requirements. “We want to make the UK the safest place to be online with pro-innovation regulation that breeds confidence in modern technology,” he said.

This was done in order to prevent hackers from accessing users’ devices, something we have seen happening in a string of incidents from companies like Ring.

“It will mean robust security standards are built in from the design stage and not bolted on as an afterthought,” Warman added.

Proposed Key Points

The legislation proposed by the DCMS holds three main key points: all IoT device passwords must be unique to only the consumer, and cannot be reset to a factory default, IoT manufacturers must have an easily-accessible point of contact for consumers to report a vulnerability with quick response action from the company, and that manufacturers must state a minimum time for which devices will receive security patches after being sold.

The new standards set by the DCMS were developed in partnership with the UK’s National Cyber Security Centre (NCSC), and builds upon a Secure by Design code that was first introduced in 2018 as a voluntary practice for manufacturers to take part in.

Nicola Hudson, policy and communications director at the NCSC, has a bright hope for the policy when it comes to consumer use. “It will give shoppers increased peace of mind that the technology they are bringing into their homes is safe, and that issues such as pre-set passwords and sudden discontinuation of security updates are a thing of the past,” she said.

IoT Security Outside of the UK

In hopes of setting a higher standard for the IoT industry, the legislation is designed to create better security measures from the beginning rather than trying to come up with resolutions post-production. This code doesn’t just apply to the UK, but rather a globally applicable model has since been founded by European standards body ETSI.

For the US, the closest attempt to heighten IoT security is the California Senate Bill 327, which would require, “reasonable security feature or features that are appropriate to the nature and function of the device.” The bill became law in January 2020, and caused some commotion in the security industry, which said that this was a step forward in the right direction, but didn’t do enough to regulate IoT devices.

In the past, people have been afraid to purchase or use smart devices. Concerns over the lack of security practices created a barrier between large IoT companies and the would-be consumers. With universal baseline requirements in place, IoT security can continue to grow long-term, while also being more conscious of end-users.

Take advantage of our robust library of industry and AG related news, articles, webinars and other resources available through our resource center to enhance your success.  You will also discover valuable insights and content you can share with your subscribers through your website, newsletters, and emails.

Receive more useful content like this by signing up for our weekly AG Newsletter below: