Smart Devices to get regulatory baseline security measures?

Smart Devices to get regulatory baseline security measures?

What are they and what is the concern?

The use of smart devices or smart products by both consumers and industry is rapidly advancing and today use of such smart or internet enabled products in the household is relatively common – think speakers and heating controls to name but a few!

There is however an increasing concern over the security of smart devices, many being potentially vulnerable to cyber attacks. Recognising what they call “significant shortcomings” in many products on the market, the UK Government has stated that there is an “urgent need to move the expectation away from consumers securing their own devices and instead ensur[ing] that strong cyber security is built into these products by design.”

With this in mind, the Department for Digital, Culture, Media and Sport (DCMS) announced on 1st May its consultation on regulatory proposals regarding consumer Internet of Things security. 

The consultation is looking at consumer IoT products – products that are connected to the internet and or your home network and associated services.

Who should be interested in the Consultation?

The consultation is targeted at

  • the creators of the internet connected product i.e. the IoT Device;
  • those that provide the networks, cloud storage and data transfers that facilitate the IoT device;
  • mobile app developers offered as a way of interacting with devices as part of the IoT solution.
  • retailers of the internet-connected products; and
  • consumer groups, academics and technical experts who an interest in IoT.

What does the consultation look at?

The focus of the consultation is on three guidelines taken from the “Code of Practice for Consumer IoT security”, which was published back in October, namely:

  • IoT device passwords must be unique and not resettable to any universal factory setting;
  • Manufacturers of IoT devices need to provide a public point of contact as part of a vulnerability disclosure policy; and
  • Manufacturers of IoT devices need to explicitly state the minimum length of time for which the product will receive security updates

The consultation closes on 5th June 2019 and is looking for views and feedback from stakeholders on the implementation of one of three options:

Option A: Mandate retailers to only sell consumer IoT products that have the IoT security label, with manufacturers to self declare and implement a security label on their consumer IoT products

Option B: Mandate retailers to only sell consumer IoT products that adhere to the top three guidelines, with the burden on manufacturers to self declare that their consumer IoT products adhere to the top three guidelines of the Code of Practice for IoT Security and the ETSI TS 103 645

Option C: Mandate that retailers only sell consumer IoT products with a label that evidences compliance with all 13 guidelines of the Code of Practice, with manufacturers expected to self declare and to ensure that the label is on the appropriate packaging.”

As you will see from each of the above options, the onus will be on the manufacturer to carry out some form of assessment and a self-declaration of security.

The UK Government have stated that the application of a “voluntary security label” will be introduced later this year and will run until such time until regulation comes into force, but only following an analysis of the responses it receives to this consultation.   

Key take away

If your business operates in the “IoT space”; if you are not already looking at incorporating the principles of security by design – now might be the time to do so.

Latest updates from @MacRoberts

  • Our award-winning Family Law team can help you and your partner through difficult situations by providing support w… 23 hours ago
  • To celebrate the Olympic Games in Tokyo, we're delighted to launch our latest sporting challenge in support of our… 23/07/2021
  • MacRoberts is recruiting! We are currently looking for a Real Estate Planning Solicitor to join the MacRoberts tea… 23/07/2021
  • The countdown is on! With just 100 days to go, we’re looking forward to #COP26 in Glasgow! ♻️ As a firm accredite… 22/07/2021
  • Has lockdown led you to consider a move to the countryside? From discussing a possible purchase to obtaining the… 22/07/2021
  • Have you seen our latest vacancies? 💼 We currently have opportunities in various departments across the firm. Fin… 21/07/2021
  • Acas has published new guidance for employers with helpful information on #flexibleworking & #hybridworking. With t… 20/07/2021
  • Busting the myth that a career in law is only for the privileged few: @marikaflawyer is speaking at this morning’s… 19/07/2021
  • MacRoberts is recruiting! We are currently looking for a Support Services Assistant to join our team in Edinburgh.… 16/07/2021
  • MacRoberts is pleased to have been part of the team advising @HV_Systems in its £5m capital boost from Beehive Equi… 15/07/2021
  • MacRoberts is recruiting! We are currently looking for a NQ Solicitor to join our Conveyancing & Private Client te… 14/07/2021
  • For the last of our IGTV mini-series, we hear from Katie MacLeod. She will be giving an insight into what it’s like… 14/07/2021
  • RT @marikaflawyer: Exciting opportunity for Associate in our award winning Family Law team #familylaw #LegalCareer 14/07/2021
  • MacRoberts is recruiting! We are currently looking for an Associate to join our Family Law team in Edinburgh or Gl… 14/07/2021
  • Last week, the UK Government took the decision to relax the rules on the length of time lorry drivers can work as a… 13/07/2021