UK introduces first IoT security laws

The UK has become the first country to legally mandate cybersecurity standards for IoT devices. The new laws, which came into force today, aim to shield consumers from cyber threats and boost the nation’s resilience against rising cyber-crime.

Under the Product Security and Telecommunications Infrastructure (PSTI) regime, manufacturers will be legally required to build security protections into any product with internet connectivity. Easily guessable default passwords like “admin” or “12345” will be banned to prevent vulnerabilities exploited in past attacks like the devastating 2016 Mirai botnet incident.

“From today, consumers will have greater peace of mind that their smart devices are protected from cyber criminals, as we introduce world-first laws that will make sure their personal privacy, data, and finances are safe,” stated Viscount Camrose, Minister for Cyber.

The urgency for such protections is clear. According to consumer advocacy group Which?, a typical smart home could face over 12,000 hacking attempts in a week, with nearly 2,700 attempts to guess weak passwords on just five devices. With 99% of UK adults owning at least one smart device and households averaging nine connected products, unsecured IoT tech poses significant risks.

“Businesses have a major role in protecting the public by ensuring smart products provide ongoing protection against cyber-attacks,” said Sarah Lyons, Deputy Director for Economy and Society at the NCSC cybersecurity agency. “This landmark Act will help consumers make informed decisions.”

Beyond prohibiting easy-to-guess passwords, the new regime requires manufacturers to:

• Publish vulnerability disclosure policies for reporting security flaws 
• State minimum periods for providing security updates
• Provide mechanisms for securely updating software 

“Which? has been instrumental in pushing for these laws to give consumers vital protections against hackers stealing personal information,” said Rocio Concha, the group’s policy director. “But we expect brands to do right by customers from day one.”

The cybersecurity standards are part of the UK’s £2.6 billion National Cyber Strategy. They reflect the government’s commitment to making Britain the world’s safest place for online activities as cyber threats rise alongside IoT adoption rates – over half of UK households now own smart TVs, while around half have voice assistants or wearables.

While the automotive industry was initially included, the government is now pursuing alternative cybersecurity regulations specific to internet-connected vehicles.

David Rogers, CEO of consultancy Copper Horse, welcomed the standards: “Manufacturers should not provide products so weak and insecure that they are trivial to hack into and takeover. This stops now.”

Industry collaboration was key to developing the “transformative protections,” said officials. Consumers can also report non-compliant products to the regulator. However, enforcement will be crucial.

“The OPSS must provide clear guidance and take strong action against manufacturers if they flout the law,” Concha warned.

The UK’s legislation could set a precedent for other nations looking to legislate consumer cyber safeguards for IoT devices.

Full guidance on the PSTI can be found here.

(Photo by Shazaf Zafar)

See also: UK’s smart motorways regularly stop working

Want to learn about the IoT from industry leaders? Check out IoT Tech Expo taking place in Amsterdam, California, and London. The comprehensive event is co-located with other leading events including Cyber Security & Cloud Expo, AI & Big Data Expo, Edge Computing Expo, and Digital Transformation Week.

Explore other upcoming enterprise technology events and webinars powered by TechForge here.

Tags: cyber security, cybersecurity, europe, government, hacking, infosec, internet of things, IoT, law, legal, legislation, Product Security and Telecommunications Infrastructure, psti, regulation, security, smart devices, uk