Internet of Things (IoT) device manufacturers will have to ensure their products meet a minimum security standard under new legislation, the Product Security and Telecommunications Infrastructure (PSTI) bill, announced by the government today as part of the Queen’s Speech. The introduction of such rules around connected device security is long overdue according to experts.
The bill, which was originally set to be announced during the State Opening of Parliament in January, was confirmed today during the Queen’s Speech, which was delivered in Parliament by Prince Charles.
What does the PSTI bill say about connected device security?
There are three key requirements manufacturers have to adhere to under PSTI. These are no longer using default passwords, confirming how long security updates will be provided after the device is launched, and disclosing known vulnerabilities.
A study by Gartner found that in the past three years, 20% of organisations have suffered a cyberattack on an IoT device attached to their network, and the number of devices is expected to reach 27 billion by 2025, according to a report by IoT Analytics.
Security for IoT devices has so far been largely ignored by manufacturers, according to James Bore, security specialist and director of the Bores Group, who told Tech Monitor the new legislation was an important step in protecting consumers and businesses.
“The three key requirements being brought in seem obvious to many in the security industry, but very few IoT manufacturers have chosen to voluntarily follow these recommendations as the consequences have only ever impacted customers or users, never themselves," Bore explains.
Bore said the bill is likely to improve security worldwide. "It is cheaper and easier for a manufacturer to design all devices to generate secure passwords, rather than only those to be sent to a particular area [like the UK]," he explains. “If you are telling anyone how long you will be providing security patches for software, you may as well tell everyone, and if you have any channels for researchers to report security flaws then in today's connected world they're not restricted by geography.”
What is the cost of IoT device cyberattacks?
According to Kaspersky, there were 1.5 billion breaches of IoT devices in the first half of 2021 alone, with the company stating that security is an "afterthought for device manufacturers".
It is estimated these attacks could cost the global economy £1bn annually through the loss of personal data, as well as devices being used to launch attacks on businesses, governments and infrastructure.
Currently, there are no security requirements in place for connectable products including smart TVs, smartphones, speakers and headphones. They come with default passwords that are unlikely to be changed by the consumer, leaving them open and an easy target for hackers, potentially exposing the rest of a corporate or home network.
Jake Moore, global cybersecurity advisor at ESET, says: “Banning default passwords is only the first step into making IoT safe from low-hanging cyberattacks. Devices require constant updates to stay protected against inevitable bugs that will be located."
What does the PSTI bill mean for businesses?
The National Cyber Security Centre (NCSC) today issued a set of guidelines on how it would interpret the application of the bill, particularly for connected device security within the enterprise environment.
"With so many technologies and solutions out there, we realise that providing a prescriptive ‘this is how you do x’ document is a far cry from how things actually work," a blog post from the agency reads.
"If we told you how to do things and said this is the only way you can do it, we’d stifle innovation and have the impossible task of producing guidance for every individual use case. So instead, the NCSC technology assurance principles allow for different ways to achieve an overall security goal, by providing the organisations with the tools to define their own risks."
Bore argues that whether the law has the desired impact will depend a lot on the effectiveness and efficiency of enforcement. “We have seen this with GDPR and the NIS regulations (General Data Protection Regulation and Network and Information Systems Regulations, respectively) not being enforced effectively, with many organisations, especially smaller businesses, still barely being aware of or understanding their responsibilities under GDPR," he says.
The government has also announced plans to reform the UK's version of the EU GDPR legislation, with a draft bill expected to be revealed in the summer.
The PSTI bill's impact on UK broadband infrastructure
The PSTI bill goes beyond protecting IoT devices. It also aims to improve the spread and resilience of the UK internet infrastructure, including wider 5G coverage and ensuring 85% of the country has access to gigabit-capable broadband by 2025. As reported by Tech Monitor, the limits of current copper cable infrastructure are being reached, with the network being transitioned to fibre cables instead.
The bill could act as a critical building block in the development of future-proofed broadband, which will be a "vital backbone of the country’s economy," says Katie Diacon, TMT cyber lead and head of corporates resilience at KPMG.
“It will help move that investment forward and bring additional benefits such as increasing competition and setting out companies’ rights when installing new infrastructure," Diacon says. "Having spoken to both large and small telcos, they are keen that the new legislation has the desired effect and includes some clarity around elements such as consistent standards and timelines.”