Val Surgenor: Smart devices to get regulatory baseline security measures?
Val Surgenor takes a timeous look at cybersecurity in the context of smart devices.
The use of smart devices or smart products by both consumers and industry is rapidly advancing and today use of such smart or internet-enabled products in the household is relatively common – think speakers and heating controls to name but a few!
There is however an increasing concern over the security of smart devices, many being potentially vulnerable to cyber-attacks. Recognising what they call “significant shortcomings” in many products on the market, the UK government has stated that there is an “urgent need to move the expectation away from consumers securing their own devices and instead ensuring that strong cybersecurity is built into these products by design.”
With this in mind, the Department for Digital, Culture, Media and Sport (DCMS) announced on 1st May its consultation on regulatory proposals regarding consumer Internet of Things security. The consultation is looking at consumer IoT products – products that are connected to the internet and or your home network and associated services.
Who should be interested in the consultation?
The consultation is targeted at
- the creators of the internet connected product i.e. the IoT Device;
- those that provide the networks, cloud storage and data transfers that facilitate the IoT device;
- mobile app developers offered as a way of interacting with devices as part of the IoT solution.
- retailers of the internet-connected products; and
- consumer groups, academics and technical experts who an interest in IoT.
What does the consultation look at?
The focus of the consultation is on three guidelines taken from the “Code of Practice for Consumer IoT security which was published back in October, namely:
- IoT device passwords must be unique and not resettable to any universal factory setting;
- Manufacturers of IoT devices need to provide a public point of contact as part of a vulnerability disclosure policy; and
- Manufacturers of IoT devices need to explicitly state the minimum length of time for which the product will receive security updates
The consultation closes on 5th June 2019 and is looking for views and feedback from stakeholders on the implementation of one of three options:
“Option A: Mandate retailers to only sell consumer IoT products that have the IoT security label, with manufacturers to self declare and implement a security label on their consumer IoT products;
Option B: Mandate retailers to only sell consumer IoT products that adhere to the top three guidelines, with the burden on manufacturers to self declare that their consumer IoT products adhere to the top three guidelines of the Code of Practice for IoT Security and the ETSI TS 103 645; Option C: Mandate that retailers only sell consumer IoT products with a label that evidences compliance with all 13 guidelines of the Code of Practice, with manufacturers expected to self declare and to ensure that the label is on the appropriate packaging.”
As you will see from each of the above options, the onus will be on the manufacturer to carry out some form of assessment and a self-declaration of security.
The UK government have stated that the application of a “voluntary security label” will be introduced later this year and will run until such time until regulation comes into force, but only following an analysis of the responses it receives to this consultation.
If your business operates in the “IoT space”; if you are not already looking at incorporating the principles of security by design – now might be the time to do so.
Val Surgenor is a partner at MacRoberts