UK IoT Cybersecurity Bill: Is It Fit For Purpose?

The Proliferation of IoT Devices and Rising Cybersecurity Concerns

Internet of Things (IoT) devices – encompassing everyday electronics such as fitness trackers and smart lighting systems that establish internet connections – have become integral to modern life for a significant portion of the population.

Despite their convenience, cybersecurity vulnerabilities persist and, according to Kaspersky, are intensifying. The antivirus provider reported 1.5 billion security breaches involving IoT devices in the first half of 2021 alone, nearly doubling the 639 million breaches recorded throughout all of 2021.

New UK Legislation: The Product Security and Telecommunications Infrastructure Bill

This increase in breaches is largely attributable to a historical lack of security prioritization by manufacturers of typically low-cost devices. These devices often ship with easily guessable or default passwords and incorporate insecure components from third-party sources.

In response to these growing threats, the U.K. government recently introduced the Product Security and Telecommunications Infrastructure (PST) bill to Parliament. This legislation mandates that IoT manufacturers, importers, and distributors adhere to specific cybersecurity standards.

Key Security Standards Outlined in the Bill

The bill focuses on three core areas of minimum security requirements. Firstly, it prohibits the use of universal default passwords – like “password” or “admin” – commonly pre-set in factory settings and easily compromised.

Secondly, manufacturers are required to establish a publicly accessible point of contact. This will streamline the process for reporting security vulnerabilities.

Finally, IoT manufacturers must inform customers about the minimum duration for which a product will receive essential security updates.

Enforcement and Potential Penalties

An as-yet-unspecified regulatory body will oversee the implementation of this new cybersecurity framework. This regulator will possess the authority to impose penalties mirroring those under GDPR.

Non-compliance with the PSTI could result in fines of up to £10 million or 4% of a company’s annual revenue. Ongoing violations could incur daily penalties of up to £20,000.

Industry Reaction: A Step in the Right Direction, But Not Without Concerns

The PSTI bill is generally viewed as a positive development, with the ban on default passwords receiving widespread praise from the cybersecurity community as a sensible measure.

Rodolphe Harand, managing director at YesWeHack, stated that implementing unique passwords provided by manufacturers will add an extra layer of protection. He emphasized the importance of basic cyber hygiene, such as changing default passwords, in enhancing device security.

However, some experts argue that certain aspects of the bill, particularly the prohibition of easily-guessable passwords, may not have been fully considered and could inadvertently create new vulnerabilities.

Potential Challenges and Unforeseen Consequences

Matt Middleton-Leal, managing director at Qualys, questioned who would be responsible for managing private passwords assigned to each device. He highlighted the common issue of users forgetting passwords and the difficulties technicians might face accessing devices for repair.

Concerns were also raised regarding the mandatory product vulnerability disclosure. While the principle of allowing security researchers to privately report flaws is sound, the bill does not mandate that these vulnerabilities be addressed before public disclosure.

Middleton-Leal cautioned that publicizing vulnerabilities could attract malicious actors and focus their efforts on exploitation.

The Need for a Holistic Approach to IoT Security

John Goodacre, director of UKRI’s Digital Security by Design, echoed these concerns, stating that the policy acknowledges the ongoing existence of vulnerabilities even in well-protected technologies. He emphasized the need to move beyond simply patching flaws after they are discovered and focus on preventing them at the foundational level.

The requirement for manufacturers to specify the duration of security updates also drew criticism, with fears that it could incentivize them to lower prices as devices approach end-of-life, potentially leading consumers to purchase devices with limited security support.

Concerns Regarding Enforcement and Global Manufacturing

Some critics believe the U.K. government is not acting swiftly enough. The bill excludes vehicles, smart meters, medical devices, and traditional computers, and grants IoT manufacturers 12 months to adapt their practices. This means that many will likely continue to produce inexpensive, potentially insecure devices for the foreseeable future.

Kim Bromley, a senior cyber threat intelligence analyst at Digital Shadows, suggested that manufacturers may prioritize speed to market over security to maintain profitability.

Bromley also expressed concerns about enforcing the regulations against manufacturers based in mainland China, citing the availability of cheaper products that may not comply with U.K. legislation. He noted the challenges faced by U.K. resellers who rely on PRC-manufactured products.

Looking Ahead: Flexibility and Continuous Improvement

The ultimate solution remains elusive, but cybersecurity experts generally agree that the U.K. government must adopt a flexible approach to IoT security. It is crucial to avoid focusing solely on past and present issues and instead anticipate future challenges.

Amanda Finch, CEO of the Chartered Institute of Information Security (CIISec), emphasized that attackers and malicious actors are constantly evolving. She stressed that the bill should be viewed as one step in an ongoing process of review and refinement, rather than a definitive solution.