Dissecting the UK’s New IoT Security Bill

The UK’s new Product Security and Telecommunications Infrastructure (PSTI) Bill aims to strengthen the security of IoT devices, but James Coker questions whether it goes far enough?

The surging popularity of internet of things (IoT) devices shows no sign of abating. According to Statista, the number of these devices worldwide is expected to reach an astonishing 25.44 billion by 2030. Furthermore, Transforma Insights believes there to be an average of nine such devices per household in the UK. Therefore, it is not hard to envision a cacophony of smart cameras, TVs, fridges and many other everyday appliances residing in the majority of households and commercial buildings in the near future.

Yet, this trend, designed to increase convenience in people’s hectic modern lives, could have dystopian-type consequences. It is well-understood in the security industry that IoT devices are a tempting target for cyber-criminals. This was highlighted during an investigation last year by consumer group Which? that recorded over 12,000 unique cyber-attacks targeting a home filled with IoT devices in a single week.

There are numerous motivations for threat actors targeting such devices; these include capturing sensitive data, including by potentially hacking into devices that allow them to hear or watch people at home, installing malware and using them as a vehicle to launch DDoS attacks. There have been particularly alarming examples of smart device hacks, including feeds from baby monitors being accessed by hackers. Despite this, it is estimated that only one in five manufacturers embed basic security requirements in consumer connectable products. As it stands, a range of nefarious actors, from financially-motivated cyber-criminals to peeping toms, stand to benefit from the surging connected device market. Yet, many consumers remain blissfully unaware of this fact.

Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows, comments: “Security problems associated with IoT devices are well documented, having been recognized by security researchers and savvy users for many years since the IoT market first emerged. Products have been released with flaws, legacy vulnerabilities have been left unpatched and default passwords have been commonplace – some manufacturers even hardcode unchangeable, default access credentials into IoT devices. Many manufacturers favor speed to market over product security because users rarely question the security of devices.”

A Bill With Teeth

In response to this growing problem, in November 2021, the UK government introduced the Product Security and Telecommunications Infrastructure (PSTI) Bill to Parliament, which places new cybersecurity requirements on the manufacturers, importers and distributors of internet-connectable devices, like phones, tablets, smart TVs and fitness trackers. The law will also apply to products that can connect to multiple other devices but not directly to the internet, such as smart light bulbs and smart thermostats.

Under the provisions, universal default passwords will be banned, and IoT manufacturers will be forced to be transparent about actions they are taking to fix security flaws in their products. They will also be obliged to create a better public reporting system for any vulnerabilities discovered. Additionally, these organizations will have a duty to investigate compliance failures, produce statements of compliance and maintain appropriate records of this.

To enforce the rules, a new regulator will be set up with the power to issue heavy penalties for non-compliance. This includes fines of up to £10m or 4% of a company’s global turnover, as well as up to £20,000 a day in the case of an ongoing contravention. The regulator will also be given the authority to require firms to comply with the security requirements, recall their products or stop selling or supplying them altogether.

Additionally, the bill gives government ministers the power to mandate further security requirements as new threats emerge, allowing further provisions to be put in place quickly.

Most agree this is a welcome development. Yet, how impactful will this law be in practice for improving smart device security?

“I think it goes a long way as it forces the consumers, and more importantly the vendors, to really think about these things, so it sets that baseline"

A Strong Foundation

While it is clear the new bill will not instantly solve all the cybersecurity problems associated with connected devices, Javvad Malik, lead security awareness advocate at KnowBe4, believes it provides a strong foundation on which to build. “I think it goes a long way as it forces the consumers, and more importantly the vendors, to really think about these things, so it sets that baseline. Whereas before, no one was thinking about security at all.”

Sarb Sembhi, CTO & CISO, concurs, pointing out that steps such as banning default passwords should prevent many of the straightforward, widescale hacking campaigns that have occurred frequently in the past. “You’re not going to get situations like we did in the past when cyber-criminals could create a botnet targeting hundreds of thousands of CCTVs that all have the same vulnerabilities and same default username and password. Hopefully, this bill will tackle that sort of thing,” he says.

Another major impact of the law could be to push the issue of IoT security into the consciousness of the wider public, in a similar way to how GDPR has encouraged awareness of privacy issues. In this scenario, consumer pressure could force rival firms to compete against each other to prove their credentials in cybersecurity. “Hopefully, customer awareness will go up, and then that will be a point of difference in where they spend their money,” says Jowanna Conboye, a technology partner at law firm Spencer West.

Additionally, discussion around the law should generate greater understanding around the need for basic security practices in general, which can only be a positive, says Malik. “From the human perspective, I think it’s also really good in terms of education for people. For example, if you get a product and you’re forced to change the password, you have to think about it,” he notes.

Importantly, the bill will allow the UK government to add additional security requirements without introducing further legislation. This can ensure the rules stay up-to-date with the changing tactics of cyber-criminals and also enable any loopholes being used by IoT manufacturers, distributors and importers to avoid complying to be rapidly closed. Sembhi says, “The bill has powers that enable ministers to change the rules as they deem fit. That means if they’re trying to find loopholes, ministers will be able to close those loopholes.”

The law takes what Sembhi calls a “softly softly approach,” initially setting out only a handful of requirements for companies to implement, for which they are expected to be given a year’s grace to enact once the law is passed. He notes that the initial legislation focuses on the top three ETSI standards for IoT consumer devices out of 13. He predicts more of these to be gradually introduced going forward. “The fact that it’s flexible and that they have got room to change things, that’s what’s key,” he adds.

Malik agrees that this gradual, evolutionary approach is the right one to take. However, in time, he would like to see extra obligations imposed, such as forcing companies to offer multi-factor authentication (MFA). “From a government level, you have to start at the lowest common denominator because you don’t want to push people out of the market just because they can’t meet a high-security standard. So I think that over time this will probably get refined,” he outlines.

Does it Go Far Enough?

However, Conboye is not convinced that the government’s gradual approach will be the most effective from a compliance standpoint. “From a legal point of view, if there’s going to be lots of changes, it’s better that you do them all at once and then manufacturers can look at them holistically. If you keep tweaking the regulation, that means businesses have to spend time and money every single time, even if they’re only small changes,” she explains.

“It does not seek to address previous shortcomings and therefore continues to leave the millions of pre-existing devices connected and exposed to cybersecurity and privacy risks"

Security professionals also note that the provisions will only focus on new IoT products, leaving existing devices exposed to the same vulnerabilities. Mark Brown, global MD of cybersecurity & information resilience at the British Standards Institution, says, “It does not seek to address previous shortcomings and therefore continues to leave the millions of pre-existing devices connected and exposed to cybersecurity and privacy risks. Consequently, it fails to force organizations to address extant legacy risks resulting from the multitude of previously insecure connected devices which will remain in situ for years to come.”

Additionally, there are fears that the bill in its current form will lead to what Conboye calls “built-in obsolescence” regarding security patches and updates. This relates to the requirement for connectable product manufacturers to tell customers at the point of sale, keeping them updated about the minimum amount of time a product will receive vital security updates and patches.

Peter Gooch, cyber risk partner at Deloitte, also shares this concern. “While it sounds like a good idea initially as IoT devices get more and more numerous and commonplace, the hardware will likely outlast the timescale defined by manufacturers for security updates. Who will remind the consumer that their device is no longer receiving security updates and are therefore vulnerable to attack?” he asks.

Ensuring Compliance

Like with any law, the extent of compliance is critical in determining its success. On a positive note, large, global companies in this space will likely be well-equipped to adhere to the new provisions quickly. Indeed, Sembhi notes that for a number of years, “some of the very large manufacturers have been producing their own standards.”

Conboye concurs, stating, “For global companies, it’s just going to be another thing that’s built into their already very good existing compliance model.”

However, it could be a different story for smaller companies with limited resources. Conboye believes some of these organizations will weigh up the costs involved in complying with the rules, with the likelihood of being punished for failing to do so, and then decide whether non-compliance is a risk worth taking. “Is there still going to be a wild west of internet-connected devices where some manufacturers just choose to be non-compliant?” she asks.

To ensure widespread compliance, it is critical the as-yet-unnamed regulator is given sufficient power and resources, says Conboye. She expects the body to adopt a similar approach to other major UK regulatory authorities, such as the Competitions and Markets Authority (CMA) and Information Commissioners Office (ICO), by issuing heavy fines for major breaches of the rules early on, sending a clear message to the rest of the industry. “I’d be surprised if we didn’t see some big fines within six months of the law being enforced because that’s what we see from those two other regulators. That’s the only thing that really works; the regulator has to show they’re willing to take action,” she says.

Sembhi agrees and believes the quicker the new body clamps down on non-compliant firms, the better: “The sooner we can get some test cases, the sooner we know what’s working, what’s not working and what needs to be changed.”

The UK’s PSTI Bill aims to address the significant cybersecurity weaknesses seen in IoT devices, and hopefully, in time, will prevent many of the easy attacks cyber-criminals can launch; for example, those enabled by compromising a single default password that is used on thousands of products.

Yet many uncertainties remain regarding how effective these rules will be in practice. Much will depend on two areas outside the provisions themselves. These are the extent to which the law grows awareness of IoT security issues among the wider public, thereby placing commercial pressure on manufacturers, distributors and importers of these devices to improve cybersecurity practices. The other will be the effectiveness of the new regulator in ensuring widescale compliance with initial and subsequent obligations.

What’s Hot on Infosecurity Magazine?