Published on March 7th, 2018 | by The GC Team0
New measures to boost cyber security in millions of internet-connected devices
Manufacturers of ‘smart’ devices such as televisions, toys and speakers found in millions of homes will be expected to integrate tough new security measures that last the lifetime of the product, as part of Government plans to keep the nation safe from the increasing risk of cyber threats.
The initiative is a key part of the Government’s five-year £1.9 billion National Cyber Security Strategy, which aims to make the UK “the most secure place in the world to live and do business online.”
Estimates show every household in the UK owns at least 10 internet connected devices and this is expected to increase to 15 devices by 2020, meaning there may be more than 420 million in use across the country within three years.
Poorly secured devices threaten individuals’ online security, privacy, safety, and could be exploited as part of large-scale cyberattacks. Recent high-profile breaches putting people’s data and security at risk include attacks on smart watches, CCTV cameras and children’s dolls.
Developed in collaboration with manufacturers, retailers and the National Cyber Security Centre, the Government’s Security by Design review lays out plans to embed security in the design process rather than bolt it on as an afterthought.
The Government will work with industry to implement “a rigorous new Code Of Practice” to improve the cyber security of consumer internet-connected devices and associated services while continuing to encourage innovation in new technologies.
Margot James, Minister for Digital and the Creative Industries, said: “This will help ensure that we have the right rules and frameworks in place to protect individuals and that the UK continues to be a world-leading, innovation-friendly digital economy.”
The Security by Design review outlines practical steps for manufacturers, service providers and developers. This will encourage firms to make sure:
- All passwords on new devices and products are unique and not resettable to a factory default, such as ‘admin’
- They have a vulnerability policy and public point of contact so security researchers and others can report issues immediately and they are quickly acted upon
- Sensitive data which is transmitted over apps or products is encrypted
- Software is automatically updated and there is clear guidance on updates to customers
- It is easy for consumers to delete personal data on devices and products
- Installation and maintenance of devices is easy
Alongside these measures for IoT manufacturers, the report proposes developing a product labelling scheme so consumers are aware of a product’s security features at the point of purchase. The Government said it will work closely with retailers and consumer organisations to provide advice and support.
Alex Neill, Which? Managing Director of Home Products and Services, said: “With connected devices becoming increasingly popular, it’s vital that consumers are not exposed to the risk of cyberattacks through products that are left vulnerable through manufacturers’ poor design and production.
“Companies must ensure that the safety of their customers is the absolute priority when ‘smart’ products are designed. If strong security standards are not already in place when these products hit the shelves, then they should not be sold.”
“The opportunities created by the Internet of Things are now becoming clear,” said Julian David, CEO of Tech UK. “It offers consumers and citizens greater empowerment and control over their lifestyles, from managing energy consumption at home to having peace of mind that a frail relative is going about their normal routine.
“However, these opportunities also bring risk and it is important that the IoT market now matures in a sensible and productive way, with security embedded at the design stage. This project is the start of that maturity.
“Industry has been keen to engage in the review and demonstrate what is best practice. It is important that companies throughout the supply chain now adopt and build on this Code of Practice to build the trust required to drive widespread take-up of the IoT.”