The new regulations involve ensuring that all connected IoT devices are secure and protected against cyber attacks.
Laid out by the Department for Digital, Culture, Media and Sport (DCMS), the regulations mean that companies must adhere to the following requirements:
- All passwords for devices connected to the Internet must be unique and not resettable to factory settings;
- Device manufacturers must publicly provide contact details so that vulnerabilities can be reported and acted on ‘in a timely manner’;
- Device manufacturers must explicitly state minimum time frames for security updates either in store or online.
“We want to make the UK the safest place to be online with pro-innovation regulation that breeds confidence in modern technology,” said digital minister Matt Warman.
“Our new law will hold firms manufacturing and selling internet-connected devices to account and stop hackers threatening people’s privacy and safety.
Integrating IoT with blockchain: a trust and security game changer
“It will mean robust security standards are built in from the design stage and not bolted on as an afterthought.”
Cracking down
The UK government had previously brought in a ‘Secure by Design Code of Practice’ for IoT device providers, but this was voluntary and had no penalties for those who didn’t comply.
“The Government’s voluntary code of practice announced in October 2018 was a step in the right direction at improving IoT security but being voluntary its influence was always likely to be limited, particularly given that so many devices are manufactured outside of the UK,” said CTO of Redscan, Mark Nicholls. “Enshrining a core set of IoT security requirements now is undoubtedly positive, but more will need to be done over the longer term, particularly at an international level, for improvements to be more extensive.
“Due to the fact that the majority of IoT devices are small, many are shipped with software written in common languages such as C or C++. As a result of this, devices can be more susceptible to problems like memory leakage.
“Many organisations that use IoT devices also risk a failure to comply with data protection laws. Many IoT devices have limited on-board processing capabilities and rely on transferring data to the cloud for analysis.
“In specific relation to the GDPR, use of IoT devices creates complications around data processing, consent, the ‘right to be forgotten’ and breach reporting.”
It’s predicted that 75 billion IoT devices will be in use globally by 2025.
Security policies need a rethink
Due to the change in regulations, companies can’t afford to take the security of their data out of their hands, and may need to rethink their security policies to ensure that they are compatible with the new regulations.
The comprehensive IT security guide for CIOs and CTOs
“The implication for companies that use IoT is that any project or deployment may need to include a robust security policy and a rigorous process to track activities and potential breaches, in line with enterprise security best practice already in place for Wide Area and Local Area Networks,” said Nick Sacke, head of products and IoT at Comms365.
“It shows that IoT technology is receiving proper scrutiny and advancing to becoming an integral part of everyday business operations, with all the opportunities and risks that this entails.”