Digital infrastructureRegulatory proposal on mandatory IoT security label

Regulatory proposal on mandatory IoT security label

Retailers will only be able to sell items with an Internet of Things (IoT) security label which would tell consumers how secure their products are

The Department for Digital, Culture, Media and Sport (DCMS) is consulting on regulatory proposals regarding consumer Internet of Things (IoT) security on options including a mandatory new IoT security label.

DCMS has consulted with experts at the National Cyber Security Centre (NCSC) and across the public and private sector to determine which aspects of the Code of Practice for Consumer IoT Security should be made mandatory in the first instance, balancing the need to deliver an effective baseline that protects consumers whilst also minimising the additional burden on industry.

Following the consultation, the security label will initially be launched as a voluntary scheme to help consumers identify products that have basic security features and those that don’t.

Digital Minister Margot James said: “Many consumer products that are connected to the internet are often found to be insecure, putting consumers privacy and security at risk. Our Code of Practice was the first step towards making sure that products have security features built in from the design stage and not bolted on as an afterthought.

“These new proposals will help to improve the safety of Internet connected devices and is another milestone in our bid to be a global leader in online safety.”

Risk for the wider economy

The UK government takes the issue of consumer IoT security very seriously, according to the DCMS.

The press release from DCMS says: “As the technological advances of the 21st century continue to accelerate, consumers are bringing more and more ‘smart’ devices (i.e. consumer IoT products) into their homes, such as smart TVs, internet connected toys, smart speakers and smart washing machines. The Internet of Things (IoT, also known as ‘internet-connected’ or ‘smart’ products) is already being used across a range of industries and it is delivering significant benefits to the lives of its users.

“In the future the number of more developed consumer Internet of Things products and services will increase. These devices will be able to anticipate and meet their users’ needs and will be able to tailor information specifically to them across everything from home energy to security. This will offer users the opportunity to live more fulfilling lives; saving time, effort and money.

“As with all new technologies, there are risks. Right now, there are a large number of consumer IoT devices sold to consumers that lack even basic cyber security provisions. This situation is untenable. Often these vulnerable devices become the weakest point in an individual’s network, and can undermine a user’s privacy and personal safety. Compromised devices at scale can also pose a risk for the wider economy through distributed denial of service (DDOS) attacks such as Mirai Botnet in October 2016.”

Mirai scans the internet for IoT devices that run on the ARC processor. This processor runs a stripped-down version of the Linux operating system. If the default username-and-password combo is not changed, Mirai is able to log into the device and infect it.

The Mirai botnet employed a hundred thousand hijacked IoT devices to bring down Dyn.

Lack of transparency

DCMS has previously stated their preferred approach whereby industry self-regulate to address these issues, but that DCMS would consider regulation where necessary. In October 2018 they published a Code of Practice for IoT Security, alongside accompanying guidance, to help industry implement good security practices for consumer IoT.

Despite providing industry with these tools to help address these issues, they continue to see significant shortcomings in many products on the market.

DCMS recognises that security is an important consideration for consumers. A recent survey of 6,482 consumers has shown that when purchasing a new consumer IoT product, ‘security’ is the third most important information category (higher than privacy or design) and among those who didn’t rank ‘security’ as a top-four consideration, 72% said that they expected security to already be built into devices that were already on the market. It’s clear that there is currently a lack of transparency between what consumers think they are buying and what they are actually buying.

There is a need to restore transparency within the market, and to ensure manufacturers are clear and transparent with consumers by sharing important information about the cyber security of a device, meaning users can make more informed purchasing decisions.

Mandates for the retailers

One of the core aims of the consultation is to listen to feedback on the various implementation options DCMS has developed in partnership with industry and stakeholders. These include the following three options:

  • Mandate retailers to only sell consumer IoT products that have the IoT security label, with manufacturers to self declare and implement a security label on their consumer IoT products
  • Mandate retailers to only sell consumer IoT products that adhere to the top three guidelines, with the burden on manufacturers to self declare that their consumer IoT products adhere to the top three guidelines of the Code of Practice for IoT Security and the ETSI TS 103 645
  • Mandate that retailers only sell consumer IoT products with a label that evidences compliance with all 13 guidelines of the Code of Practice, with manufacturers expected to self declare and to ensure that the label is on the appropriate packaging

Later this year, the security label will initially be run on a voluntary basis until regulation comes into force and the government will make a decision on which measures to take forward into legislation following analysis of the responses received through this consultation.

Any regulation will need to mature over time, and additional information for this approach is within the consultation stage impact assessment ‘mandating security requirements for consumer IoT products’.

Not long ago, the House of Lords Communications Committee had recommended a new regulatory framework for digital services in the UK as part of the government’s Internet Safety Strategy.

Protecting both businesses and consumers

Cyber security plays important role if consumers and businesses are to reap the benefits of IoT devices.

Peter Carlisle, Vice President at nCipher Security said: “Consumers and businesses are discovering and benefiting from the opportunities the IoT provides each day.  Yet, IoT devices have also become one of the most vulnerable entry points for attackers. The IoT exposes consumers and businesses to new security vulnerabilities due to its increased network connectivity and the devices within it not being secured by design. It is so vast and complex that finding data protection solutions which can span across the entire network, providing scalable encryption key management and not impeding data analytics can be a serious challenge.

“By encouraging ‘Security by Design’ and introducing a new labelling system to tell users whether an IoT device can be trusted, the proposed legislation signals a positive step in the right direction. It could ensure that security is baked into IoT devices, protecting both businesses and consumers from the offset and going a step further than the voluntary “code of practice” announced last year.

“After all, when it comes to cybersecurity prevention is always better than a cure.”

Related Articles

Councils drive transformation with SaaS models

Cloud Computing Councils drive transformation with SaaS models

3m Jay Ashar
Healthcare organisations fix application flaws faster

Digital infrastructure Healthcare organisations fix application flaws faster

3m Jay Ashar
The need for balance in digitising public services

Digital Transformation The need for balance in digitising public services

3m Afshin Attari
Digital lags behind in healthcare: Deloitte report

Digital Skills Digital lags behind in healthcare: Deloitte report

3m Jay Ashar
Where are all the change managers delivering “digitisation”?

Change Management Where are all the change managers delivering “digitisation”?

3m Romy Hughes
Getting technology providers to partner for progress

Digital Transformation Getting technology providers to partner for progress

3m Neil Laycock
Delivering transformation for future generations

Digital Skills Delivering transformation for future generations

3m Jay Ashar
Driving change through place-based partnerships: Part Two

Digital Customer Service Driving change through place-based partnerships: Part Two

3m Austin Clark