View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Networks
May 10, 2022updated 25 Jul 2022 5:10am

UK’s new law on connected device security is long overdue

The Product Security and Telecommunications Infrastructure bill should prompt higher levels of device security.

By Ryan Morrison

Internet of Things (IoT) device manufacturers will have to ensure their products meet a minimum security standard under new legislation, the Product Security and Telecommunications Infrastructure (PSTI) bill, announced by the government today as part of the Queen’s Speech. The introduction of such rules around connected device security is long overdue according to experts.

Prince Charles with Prince William
Prince Charles, accompanied by Prince William, arrives for today’s Queen’s Speech. Among the policies announced was a bill mandating better security for IoT devices. (Photo by Hannah McKay – WPA Pool/Getty Images)

The bill, which was originally set to be announced during the State Opening of Parliament in January, was confirmed today during the Queen’s Speech, which was delivered in Parliament by Prince Charles.

What does the PSTI bill say about connected device security?

There are three key requirements manufacturers have to adhere to under PSTI. These are no longer using default passwords, confirming how long security updates will be provided after the device is launched, and disclosing known vulnerabilities.

A study by Gartner found that in the past three years, 20% of organisations have suffered a cyberattack on an IoT device attached to their network, and the number of devices is expected to reach 27 billion by 2025, according to a report by IoT Analytics.

Security for IoT devices has so far been largely ignored by manufacturers, according to James Bore, security specialist and director of the Bores Group, who told Tech Monitor the new legislation was an important step in protecting consumers and businesses. 

“The three key requirements being brought in seem obvious to many in the security industry, but very few IoT manufacturers have chosen to voluntarily follow these recommendations as the consequences have only ever impacted customers or users, never themselves," Bore explains.

Bore said the bill is likely to improve security worldwide. "It is cheaper and easier for a manufacturer to design all devices to generate secure passwords, rather than only those to be sent to a particular area [like the UK]," he explains. “If you are telling anyone how long you will be providing security patches for software, you may as well tell everyone, and if you have any channels for researchers to report security flaws then in today's connected world they're not restricted by geography.”

Content from our partners
Unlocking growth through hybrid cloud: 5 key takeaways
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape

What is the cost of IoT device cyberattacks?

According to Kaspersky, there were 1.5 billion breaches of IoT devices in the first half of 2021 alone, with the company stating that security is an "afterthought for device manufacturers".

It is estimated these attacks could cost the global economy £1bn annually through the loss of personal data, as well as devices being used to launch attacks on businesses, governments and infrastructure.

Currently, there are no security requirements in place for connectable products including smart TVs, smartphones, speakers and headphones. They come with default passwords that are unlikely to be changed by the consumer, leaving them open and an easy target for hackers, potentially exposing the rest of a corporate or home network.

Jake Moore, global cybersecurity advisor at ESET, says: “Banning default passwords is only the first step into making IoT safe from low-hanging cyberattacks. Devices require constant updates to stay protected against inevitable bugs that will be located."

What does the PSTI bill mean for businesses?

The National Cyber Security Centre (NCSC) today issued a set of guidelines on how it would interpret the application of the bill, particularly for connected device security within the enterprise environment.

"With so many technologies and solutions out there, we realise that providing a prescriptive ‘this is how you do x’ document is a far cry from how things actually work," a blog post from the agency reads.

"If we told you how to do things and said this is the only way you can do it, we’d stifle innovation and have the impossible task of producing guidance for every individual use case. So instead, the NCSC technology assurance principles allow for different ways to achieve an overall security goal, by providing the organisations with the tools to define their own risks."

Bore argues that whether the law has the desired impact will depend a lot on the effectiveness and efficiency of enforcement. “We have seen this with GDPR and the NIS regulations (General Data Protection Regulation and Network and Information Systems Regulations, respectively) not being enforced effectively, with many organisations, especially smaller businesses, still barely being aware of or understanding their responsibilities under GDPR," he says.

The government has also announced plans to reform the UK's version of the EU GDPR legislation, with a draft bill expected to be revealed in the summer.

The PSTI bill's impact on UK broadband infrastructure

The PSTI bill goes beyond protecting IoT devices. It also aims to improve the spread and resilience of the UK internet infrastructure, including wider 5G coverage and ensuring 85% of the country has access to gigabit-capable broadband by 2025. As reported by Tech Monitor, the limits of current copper cable infrastructure are being reached, with the network being transitioned to fibre cables instead.

The bill could act as a critical building block in the development of future-proofed broadband, which will be a "vital backbone of the country’s economy," says Katie Diacon, TMT cyber lead and head of corporates resilience at KPMG.

“It will help move that investment forward and bring additional benefits such as increasing competition and setting out companies’ rights when installing new infrastructure," Diacon says. "Having spoken to both large and small telcos, they are keen that the new legislation has the desired effect and includes some clarity around elements such as consistent standards and timelines.”

Read more: Will UK telecoms innovation make it a 5G world leader?

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.