The UK government has released the Product Security and Telecommunications Infrastructure (PSTI) bill which promises to protect IoT devices.
As manufacturers seek to keep pace with the demand for IoT devices, security is too often an afterthought.
Julia Lopez, Minister for Media, Data, and Digital Infrastructure, said, “Everyday hackers attempt to break into people’s smart devices. Most of us assume if a product is for sale, it’s safe and secure. Yet many are not, putting too many of us at risk of fraud and theft. Our bill will put a firewall around everyday tech from phones and thermostats to dishwashers, baby monitors and doorbells, and see huge fines for those who fall foul of tough new security standards.”
Ian Levy, Technical Director of the National Cyber Security Centre, commented, “I am delighted by the introduction of this bill which will ensure the security of connected consumer devices and hold device manufacturers to account for upholding basic cyber security.
The requirements this bill introduces – which were developed jointly by DCMS and the NCSC with industry consultation – mark the start of the journey to ensure that connected devices on the market meet a security standard that’s recognized as good practice.”
However, the bill isn’t without its critics.
Martin Tyley, Head of Cyber at KPMG UK, said, “With companies currently facing a plethora of cyber risks, the PSTI bill simply adds another task to CISOs’ ever-growing list of to-dos. Manufacturers are already struggling to stave off threat actors and comply with existing legislation – adding another regulation into the mix will only further overwhelm them. Therefore, I believe that all cyber security regulations and legislation must come with accompanying guidelines and support for the industries expected to comply with them.
Regulators and the UK Government have a view of the cyber threats these organizations face that goes well beyond what anyone player in the industry could expect to understand. There is, therefore, a responsibility to explain why it’s coming into effect and how to consider its implications.
We could end up seeing CISOs having no choice but to comply with these new IoT security rules on an individual basis, rather than thinking about their security posture more holistically. This could end up threatening their customer relationships, profit potential and market position if they aren’t well-prepared for the future.
This will be most damaging for smaller organizations that do not have the funds to invest even more into their cyber security function. It is these manufacturers who will miss the mark on product security and privacy and may risk losing market share to competitors who get it right.”
Seasoned hackers can scan for vulnerable devices and use default passwords to add them to botnets like the infamous Mirai.
The PSTI bill bans the use of default passwords. All devices must come with unique passwords and cannot be resettable to any universal factory setting.
Following the bill achieving Royal Assent, relevant industry players will be given at least 12 months to comply with the new rules.