The UK has various measures and guidelines in place to protect consumers from cyberattacks on smart devices. One of the key initiatives is the UK government's Secure by Design Code of Practice, which encourages manufacturers to incorporate security features into their products from the design stage itself. This includes measures such as secure default settings, regular security updates, and easy-to-understand privacy policies.
Additionally, the UK's National Cyber Security Centre (NCSC), which is part of GCHQ, provides guidance and resources for consumers on how to secure their smart devices and protect themselves from cyber threats. This includes advice on choosing secure devices, setting up strong passwords, keeping software updated, and being cautious about sharing personal information online.
More recently there has been legislation passed that addresses this issue, a good first step to make a digital future a more secure one. The Product Security and Telecommunications Infrastructure Act (PSTI). This legislation prohibits devices from accepting default or easily-guessed, insecure passwords, forces manufacturers to publish contact details so that bugs and issues can be reported, and forces both manufacturers and retailers to be open with consumers on the minimum time that they can expect to receive security updates and software patches.
Furthermore, consumer protection laws in the UK, such as the Consumer Rights Act, require that products sold to consumers must be of satisfactory quality, fit for purpose, and safe. This means that manufacturers and retailers have a legal obligation to ensure that the smart devices they sell meet certain security standards and do not pose a risk to consumers.
While most of the devices in scope are manufactured outside the UK, the PSTI Act also applies to any organisation importing or retailing products in the UK, with failure to comply constituting a criminal offence attracting a fine of up to £10m or 4% of qualifying global revenue, whichever is higher.
What's in the Scope?
According to the NCSC’s guidance, the PSTI Act applies to the following, although this is not an exhaustive list:
- Smart speakers, smart TVs and streaming devices
- Smart doorbells, baby monitors and security cameras
- Smartphones, tablets including those with mobile connectivity, and videogame consoles
- Wearable fitness trackers and smart watches
- Smart domestic appliances, such as connected light bulbs, plugs, kettles, thermostats, ovens, fridges, washing machines and vacuum cleaners.
- Certain automotive vehicles are to be exempted from the PSTI Act regime as they will eventually be covered by alternative legislation. The government is currently in the beginning stages of the legislative process for this.
Certain automotive vehicles are to be exempted from the PSTI Act regime as they will eventually be covered by alternative legislation. The government is currently in the beginning stages of the legislative process for this.
infographic can be downloaded here: Law on Smart Devices
So, what about Industrial IIOT Devices?
Legislation requiring minimum security standards and banning easily guessable default passwords for consumer IoT devices would likely have implications for smart devices used in manufacturing and operational technology (OT) environments. Here's how it might affect these devices in the future:
1. Security Standards Compliance: Manufacturers of smart devices used in OT environments would need to ensure that their products comply with the mandated minimum security standards. This could involve implementing encryption, secure authentication mechanisms, regular security updates, and other security features to protect against cyber threats.
2. Password Policies: Similar to consumer IoT devices, smart devices used in manufacturing and OT environments often come with default passwords that may be easily guessable or widely known. The legislation would likely require manufacturers to eliminate such passwords and implement stronger authentication measures. This could involve prompting users to set unique, complex passwords during setup or implementing alternative authentication methods such as biometrics.
3. Integration with OT Systems: Smart devices used in manufacturing and OT environments are often integrated into larger OT systems and networks. Strengthening the security of these devices can help protect the integrity and availability of critical industrial processes and infrastructure. By ensuring that these devices adhere to minimum security standards and use strong authentication measures, the legislation aims to reduce the risk of cyberattacks targeting OT systems.
4. Supply Chain Considerations: Manufacturers of smart devices used in OT environments may need to review their supply chain practices to ensure that all components and software meet the required security standards. This may involve working closely with suppliers and third-party vendors to ensure that security is prioritized throughout the entire product lifecycle.
5. Compliance and Certification: Manufacturers may need to demonstrate compliance with the mandated security standards through certification processes or audits. This could involve obtaining third-party certifications or providing documentation to customers and regulatory authorities to verify that their products meet the required security requirements.
Overall, legislation aimed at improving cybersecurity for consumer IoT devices is likely to have a positive impact on the security of smart devices used in manufacturing and OT environments. By raising the security bar for all connected devices, including those used in industrial settings, the legislation aims to enhance the resilience of critical infrastructure and mitigate the risk of cyber threats targeting OT systems.
What about Legacy Devices?
The risk of legacy devices and the setting that were accepted as ‘standard practice’ will not retrospectively be addressed, however over time, these devices will be replaced through programs of changes and obsolescence projects. Until this happens then we will need to be diligent and apply a multispectral approach to secure such devices until these are retired or replaced.
Have we missed a trick?
PSTI Act’s originates from the introduction of an Internet of Things (IoT) Code of Practice in October 2018, which was jointly developed by the National Cyber Security Centre (NCSC) and what was then the Department for Digital, Culture, Media and Sport (DCMS).
The requirements for the Code of Practice cover much more than what has been applied to legislation now. I’m sure that over time these good practices will become mandatory, however, should this have been from the get-go?
These codes of practice are as follows:
1. No default passwords
2. Implement a vulnerability disclosure policy
3. Keep software updated
4. Securely store credentials and security-sensitive data
5. Communicate securely
6. Minimise exposed attack surfaces
7. Ensure software integrity
8. Ensure that personal data is protected
9. Make systems resilient to outages
10. Monitor system telemetry data
11. Make it easy for consumers to delete personal data
12. Make installation and maintenance of devices easy
13. Validate input data
Did we get it right?
Back in 2019 when I attended CyberUK I was part of a discussion group that looked at the controls that were being proposed, I wrote about this here: Our visit to CyberUK 2019 (solutionspt.com)