Manufacturers of Internet of Things (IoT) devices will need to ensure that their products meet the minimum security standard under new legislation, the Product Security and Telecommunications Infrastructure Bill (PSTI), announced by the government today as part of the Queen’s speech. . The introduction of such rules around the security of connected devices has long been delayed, according to experts.

Prince Charles, accompanied by Prince William, arrives for today’s speech by the Queen. Among the policies announced was a bill calling for better security for IoT devices. (Photo by Hannah McKay – WPA Pool / Getty Images)

The bill, which was originally due to be announced during the state opening of parliament in January, was confirmed today during a speech by the Queen, which was delivered in parliament by Prince Charles.

What does the PSTI bill say about the security of connected devices?

There are three main requirements that manufacturers must adhere to under the PSTI. They no longer use default passwords that confirm how long security updates will be provided after the device starts up and reveal known vulnerabilities.

That’s according to a Gartner study in the last three years, 20% of organizations have suffered a cyber attack on an IoT device connected to their network and the number of devices is expected to reach 27 billion by 2025, according to a report by IoT Analytics.

Security for IoT devices has so far been largely ignored by manufacturers, according to James Bohr, a security specialist and director of the Bores Group, who said Technical monitor the new legislation was an important step in protecting consumers and businesses.

“The three key requirements that are being introduced seem obvious to many in the security industry, but very few IoT manufacturers have volunteered to follow these recommendations, as the consequences have only affected customers or consumers, never themselves,” explains Bore.

Content from our partners
How businesses can best prepare for the digitization of finance

How AI can enable Middle East energy operators to deliver Oil & Gas 4.0

How should businesses get out of their data center?

Bohr said the bill is likely to improve global security. “It is cheaper and easier for the manufacturer to design all devices to generate secure passwords, not just those that are sent to a specific area [like the UK]”He explains. “If you tell someone how long you’re going to provide security fixes for software, you can also tell everyone, and if you have any channels for researchers to report security vulnerabilities, then in today’s connected world, they’re not limited by geography.”

What is the cost of cyber attacks on IoT devices?

According to Kaspersky, in the first half of 2021 alone, there were 1.5 billion violations of IoT devicesas the company states that security is “the last thought for device manufacturers”.

It is estimated that these attacks could cost the world economy £ 1 billion a year through the loss of personal data as well as devices used to carry out attacks on business, government and infrastructure.

There are currently no security requirements for related products, including smart TVs, smartphones, speakers and headphones. They come with default passwords that are unlikely to be changed by the user, leaving them open and an easy target for hackers, potentially exposing the rest of the corporate or home network.

Jake Moore, ESET’s global cybersecurity adviser, said: “Banning default passwords is only the first step in making IoT safe from low-level cyber attacks. Devices require constant updates to stay protected against unavoidable errors that will be detected. “

What does the PSTI account mean for business?

The National Center for Cyber ​​Security (NCSC) today issued a set of guidelines on how to interpret the implementation of the bill, especially for the security of connected devices in the corporate environment.

“With so many technologies and solutions, we realize that providing a prescriptive document ‘this is how you do x’ is far from how things actually work,” the agency’s blog post said.

“If we tell you how to do things and say that this is the only way you can do it, we would stifle innovation and we will have the impossible task of producing guidelines for each individual use case. So instead, the NCSC’s technology assurance principles allow for different ways to achieve a common security goal by providing organizations with tools to identify their own risks. “

Bore argues that whether the law has the desired impact will depend heavily on the effectiveness and efficiency of implementation. “We have seen this with the GDPR and the NIS regulations (General Data Protection and Networks and Information Systems Regulations, respectively) are not being implemented effectively, and many organizations, especially smaller businesses, are still barely aware of or understand their responsibilities under GDPR, “he says.

The government has also announced plans to reform Britain’s version of EU legislation on GDPR, with the bill expected to be unveiled in the summer.

The impact of the PSTI bill on the UK’s broadband infrastructure

The PSTI bill goes beyond the protection of IoT devices. It also aims to improve the deployment and resilience of the UK’s internet infrastructure, including wider 5G coverage, and ensure that 85% of the country has access to broadband with gigabit capability by 2025. As reported by Technical monitorthe limits of the current copper cable infrastructure are being reached, and instead the network is switching to optical cables.

The bill could serve as a critical building block in developing reliable broadband, which will be “a vital backbone of the country’s economy,” said Katie Dyken, head of TMT in cyberspace and head of corporate sustainability at KPMG.

“This will help move this investment forward and bring additional benefits, such as increased competition and defining the rights of companies when installing new infrastructure,” says Deacon. “After talking to both large and small telecommunications companies, they are interested in the fact that the new legislation has the desired effect and includes some clarity about elements such as consistent standards and deadlines.”

Read more: Will telecommunications innovation in the UK make them a world leader in 5G?

UK’s new law on connected device security is long overdue

Previous articleTelstra will make 5G wholesale available to MVNO in July
Next articleThe chemical computer can be programmed to solve difficult problems