The IoT represents a new chapter for the technology we use on a regular basis by bringing connective capabilities to billions of devices worldwide. However, with this development comes the question of security. For the large-scale deployment of these devices it’s crucial that consumers are assured the personal data they share with online devices will not be compromised. Indeed, the cybersecurity of these products is now as important as the physical security of our homes.
In 2018, the UK government conducted a review on the issue of securing IoT devices, seeking input from industry leaders, academic figures, and other stakeholders. It then gathered the responses to help identify what the rights and responsibilities of consumers and businesses regarding IoT security should be. The result of the review led to the government publishing the Code of Practice for Consumer IoT Security to set out some guidelines to all parties involved in the development, manufacturing and retail of consumer connected devices.
Although this code helped to instill a sense of confidence among businesses and consumers, it was not compulsory to adopt the suggestions, meaning irresponsible manufacturers were not obligated to change their ways. As a result, the UK government recently published a new statement in which it said that “despite providing industry with these tools to help address security in IoT, we continue to see significant shortcomings in many products on the market.”
To combat this problem the government now intends to make three security requirements mandatory. These include:
- Providing unique passwords at sale that are not resettable to any universal factory setting
- Ensuring there’s a public point of contact for cybersecurity issues relating to the device
- Stating clearly via labels how secure the device is and for how long security updates would be made available
The attraction of these initial requirements lies in that they are easy to implement and enforce and would protect consumers and businesses from the security risks associated with these devices. Currently, for example, as many as one third of IoT attacks abuse weak passwords, so even creating legislation to combat this basic issue will be highly beneficial. The UK government is also looking at creating a compulsory labeling system to tell the consumer exactly how secure the device is. As it stands, however, the onus of this would be on the manufacturer providing the relevant label and it is currently not clear how many of the Code of Practice guidelines a device would have to conform to in order to be sold.
IoT Security is key to gain and retain consumer trust on privacy and to fulfill the full potential of the IoT promise. We are committed to provide leading edge IoT security solutions and services that protect connected devices – from the design and manufacturing stages, through to their entire lifecycle, guarding devices and data against cyberattacks.
We load unique, diversified IDs and security certificates in the cellular modules that will allow future devices to connect to the network. This means that security is built into the roots of connected devices, at the manufacturing stage, to avoid device cloning or ID theft. An advanced security lifecycle management tool is made available, to remotely manage devices, activate or revoke credentials, and ensure that the data sent by the devices goes to the right entities, without manipulation. Our cybersecurity solution is in line with what the UK IoT legislation is proposing.
Often overlooked, managing the lifecycle of security components across the device and cloud spectrum is a critical element for a robust and long-term digital security strategy. Security is not a one-off activity, but an evolving part of the IoT ecosystem, helping to cope with both new regulations and new kind of cyberthreats that will necessarily occur in the next years.
One of the key tenets of IoT security is that it must be a consideration at the very beginning of the design process, with the right expert knowledge brought in as early as possible. The latter the process of assessing, testing and hardening of IoT solutions is left, the more difficult and costly it is to get right.
It’s great to see that with this legislation the UK government is encouraging manufacturers to consider security from the start of the design and built processes. Hopefully, this would also encourage other governments to consider similar legislation as IoT security to help install a sense of confidence among businesses and consumers.
What do you think about the UK Code of Practice? Let us know in the comments below or by tweeting to us @Gemalto.