Cyber Security Regulations For Smart Devices

Uploaded on 2022-02-16 in GOVERNMENT-National, FREE TO VIEW, BUSINESS-Services-Law

The British government has introduced new legislation to Parliament that aims to better protect consumers’ IoT devices from hackers. The Culture Secretary Nadine Dorries has begun the debate on new law to strengthen cyber protections for people’s smartphones, TVs, speakers, routers and digital devices.

The proposed Product Security and Telecoms Infrastructure Bill (PSTI) places new cyber security standards on manufacturers, importers and distributors of Internet-connectable devices, such as phones, tablets, smart TVs and fitness trackers. The legislation will also apply to products that can connect to multiple other devices but not directly to the Internet, like smart light bulbs and smart thermostats.

These requirements include banning universal default passwords, forcing firms to be transparent about actions they are taking to fix security flaws in their products and creating a better public reporting system for any vulnerabilities discovered. In addition, these companies will have a duty to investigate compliance failures, produce statements of compliance and maintain appropriate records of this.

Failure to comply could result in heavy fines issued by a new regulator of up to £10m of 4% of their global turnover, as well as up to £20,000 a day in the case of an ongoing contravention. 

The regulator will also be given the power to require firms to comply with the security requirements, recall their products or stop selling or supplying them altogether. The legislation will empower the government to mandate further security requirements as new threats emerge. It will place new cyber security requirements on the manufacturers and sellers of consumer tech which can connect to the Internet or other devices. Manufacturers will have to be more transparent to customers about the length of time products will receive security updates for connectable products and create a better public reporting system for vulnerabilities found in those products.

The PSTI legislation will apply to ‘connectable’ products. This includes all devices which can access the Internet such as smartphones, smart TVs, games consoles, security cameras and alarm systems, smart toys and baby monitors, smart home hubs and voice-activated assistants, as well as smart home appliances like washing machines and fridges. It also applies to products which can connect to multiple other devices but not directly to the Internet. 

The bill will give ministers powers to put new requirements on the manufacturers, importers and distributors of consumer tech devices. These include:

  • Banning universal default passwords which are pre-set on devices - such as ‘password’ or ‘admin’ - and are an easy target for cyber criminals. Any preloaded product passwords will need to be unique and not resettable to universal factory settings.
  • Requiring device manufacturers to be transparent with consumers about how long they’ll provide security updates for products so people are clearer when they buy. If a product will not receive any security updates the customer must be informed.
  • Ensuring manufacturers have a readily available public point of contact to make it easier for software flaws and bugs to be reported.
  • The bill will also speed up the roll out of faster and more reliable broadband and mobile networks by making it easier for operators to upgrade and share infrastructure. 

A new regulatory organisation will be set up oversee the new cyber security regime and ensure that businesses comply with the measures in place. It will have the power to issue notices to companies requiring they comply with the security requirements, recall insecure products or stop selling or supplying them altogether.

The PSTI regulator will have enforcement powers to levy GDPR-style penalties and companies that fail to comply could be fined £10 million or 4% of their annual revenue, as well as up to £20,000 a day in the case of an ongoing contravention.

Matthew Evans, Director of Markets, TechUK commented: “Industry has long supported the shared ambition to improve the cyber resilience of devices and has worked with government across the Secure-By-Design agenda over the last five years... Most suppliers already adhere to the principles of the legislation and if implemented practically this will both protect consumers and ensure they have access to a wide range of connected devices.” 

The PSTI bill  has been broadly welcomed and the ban on default passwords especially has been widely commended by the cyber security industry as a “common sense” measure. However, criticism has been levelled against some measures, including  the ban on easy-to-guess passwords, as not having been haven’t been thought through and could potentially create new opportunities for threat actors to exploit.

The PSTI does encompass vehicles, smart meters, medical devices, and desktop or laptop computers that connect to the Internet, has given IoT manufacturers 12 months to change their working practices, which means that for the next year, many will continue to churn out inexpensive devices that might not adhere to the most basic of security standards.

The government described it as "a significant step" to protect the UK from hostile activity from both state actors or criminals.

Gov.UK:      Endgadget:    BBC:      Finacial Accountant:    Infosecurity Magazine:     Public Technology:     

DevOps Online:      Techcrunch:   

You Might Also Read:   

Britain's Cyber Security Strategy Focuses On Resilience:

 

« Qbot Malware Can Read Your Email
Ukraine Defence Ministry & Banks Under Cyber Attack »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Juniper Networks

Juniper Networks

Juniper Networks is the industry leader in network innovation. We provide network infrastructure and network security solutions.

Australian Cyber Security Growth Network (AustCyber)

Australian Cyber Security Growth Network (AustCyber)

AustCyber brings together businesses and researchers to develop the next generation of cyber security products and services.

Subex

Subex

Subex leverages its award-winning telecom analytics solutions in areas such as Revenue Assurance, Fraud Management, Asset Assurance and Partner Management, and IoT Security.

TI Safe

TI Safe

TI Safe provide cybersecurity solutions for industrial networks of main critical infrastructures in Latin America.

Armorblox

Armorblox

Armorblox stops targeted email attacks such as 0-day credential phishing, payroll fraud, vendor fraud, and other threats that get past legacy security controls.

Simility

Simility

Simility's multi-layered fraud detection solution uses superior machine learning & device intelligence technology to safeguard your online businesses.

Corsa Security

Corsa Security

Corsa Security is leading the transformation of network security with a private cloud approach that helps scale network security services with unwavering performance and flexibility.

ScorpionShield

ScorpionShield

ScorpionShield CyberSecurity is an EC-Council Accredited Training Center, and an On-Demand Service for Cybersecurity professionals.

Hyperproof

Hyperproof

Hyperproof is a cloud-based compliance operations software. Launch new programs immediately, collect evidence automatically, and manage a compliance program intelligently.

IgmGuru

IgmGuru

Igmguru offers certification online training courses for IT professionals and students. Get certified with high-in-demand job-oriented professional courses.

Serbus

Serbus

Serbus Secure is a fully managed suite of secure communication, enterprise mobility and mobile device security tools.

Alethea

Alethea

Alethea is a technology company helping companies, nonprofits, and democracies protect themselves from harms stemming from disinformation and social media manipulation.

Anatomy IT

Anatomy IT

Anatomy IT empowers healthcare providers to deliver exceptional patient care with cutting-edge technology and cybersecurity solutions.

TeamT5

TeamT5

TeamT5 Inc. is a leading cybersecurity company dedicated to cyber threat research and solutions.

When Group

When Group

World Health Energy Holdings, Inc. (d/b/a WHEN Group) is a High Tech Holding Company that specializes in the Cyber, Security and Telecom area.

Cyber Brain Academy

Cyber Brain Academy

At Cyber Brain Academy, our mission is to provide high-quality IT certification training for the cyber security workforce.