UK Introduces New Cybersecurity Legislation for IoT Devices

The UK government has today introduced new legislation to Parliament that aims to better protect consumers’ IoT devices from hackers.

The Product Security and Telecommunications Infrastructure (PSTI) Bill places new cybersecurity standards on manufacturers, importers and distributors of internet-connectable devices, such as phones, tablets, smart TVs and fitness trackers. The legislation will also apply to products that can connect to multiple other devices but not directly to the internet, like smart light bulbs and smart thermostats.

These requirements include banning universal default passwords, forcing firms to be transparent about actions they are taking to fix security flaws in their products and creating a better public reporting system for any vulnerabilities discovered. In addition, these companies will have a duty to investigate compliance failures, produce statements of compliance and maintain appropriate records of this.

Failure to comply could result in heavy fines issued by a new regulator – up to £10m of 4% of their global turnover, as well as up to £20,000 a day in the case of an ongoing contravention. The regulator will also be given the power to require firms to comply with the security requirements, recall their products or stop selling or supplying them altogether. The legislation is further bolstered by the fact ministers will be able to mandate further security requirements as new threats emerge.

The legislation comes amid the surging use of IoT devices, with an average of nine in every UK household. Unsurprisingly, these devices have become increasingly targeted by cyber-criminals in recent years. For example, earlier this year, Which? published an investigation demonstrating that smart homes could face more than 12,000 cyber-attacks in a single week.

Minister for Media, Data and Digital Infrastructure, Julia Lopez, commented: “Everyday hackers attempt to break into people’s smart devices. Most of us assume if a product is for sale, it’s safe and secure. Yet many are not, putting too many of us at risk of fraud and theft.

“Our Bill will put a firewall around everyday tech from phones and thermostats to dishwashers, baby monitors and doorbells, and see huge fines for those who fall foul of tough new security standards.”

Dr Ian Levy, NCSC technical director, stated: “I am delighted by the introduction of this bill which will ensure the security of connected consumer devices and hold device manufacturers to account for upholding basic cybersecurity.

“The requirements this bill introduces – which were developed jointly by DCMS and the NCSC with industry consultation – mark the start of the journey to ensure that connected devices on the market meet a security standard that’s recognized as good practice.”

Commenting on the new legislation, Gerhard Zehethofer, vice President, IoT & manufacturing at ForgeRock, said: "This is a positive step from the UK government. IoT has been talked about for years as a truly transformative technology, but adoption has been slower than expected. In 2012, it was predicted there would be a trillion connected devices globally by 2020, now the predictions are for just 36 billion.

“Overcoming the real security concerns surrounding IoT will be critical to unlocking growth, and IoT-specific regulations such as this one have a major role to play. Common-sense fixes like the banning of default passwords and incentivizing manufacturers to keep on top of security updates and vulnerabilities will help protect consumers and their data, building the trust that the IoT market needs to achieve its full potential.”

What’s Hot on Infosecurity Magazine?