Governments Begin to Take on IoT Security
Following the state of California the UK government has proposed IoT security regulation measures and requirements which were broadly welcomed by security experts.
New UK government proposals for regulating minimum security settings and requirements for IoT devices have been broadly welcomed by security experts, and at first glance appear to cement a new security agenda.
The plans will mandate that basic cyber security features will be built into products, and that consumers will get better information on how secure their devices are. The three core elements are:
- IoT device passwords must be unique and not resettable to any universal factory setting
- Manufacturers of IoT products provide a public point of contact as part of a vulnerability disclosure policy
- Manufacturers explicitly state the minimum length of time for which the device will receive security updates through an end of life policy.
The detail is set to be established through a period of consultation, including a mandatory new labelling scheme, but the general theme is likely to follow the ‘Secure by Design’ code of practice, published late last year in guideline format. Those guidelines have already been backed by Centrica Hive, HP Inc Geo and more recently Panasonic.
National Cyber Security Centre (NCSC) Technical Director, Dr Ian Levy said:
Serious security problems in consumer IoT devices, such as pre-set unchangeable passwords, continue to be discovered and it’s unacceptable that these are not being fixed by manufacturers.
This innovative labelling scheme is good news for consumers, empowering them to make informed decisions about the technology they are bringing into their homes.
The move follows a cybersecurity law covering “smart” devices that was passed in California late last year. The bill, SB-327, states that from January 1st, 2020, any manufacturer of a device that connects “directly or indirectly” to the internet must have baked in “reasonable” security features, designed to prevent unauthorized access, modification, or information disclosure. The law also mandates a unique password for each device, or force users to set their own password the first time they connect.
The regulation was broadly welcomed by security experts, although did draw some fire for being too general, and also focussing on introducing ‘good’ attributes rather than removing ‘bad’ vulnerabilities and security holes. As security veteran Bruce Schneier told The Washington Post: “It probably doesn’t go far enough — but that’s no reason not to pass it.”
So will other jurisdictions follow suit? Well, the UK announcement could - cynically speaking - be accused of a certain amount of window dressing, given that very similar moves are firmly established just across the channel. The EU has been mulling the introduction of ICT and IoT legislation for some time, reaching an initial political agreement late in 2018, and more recently (March 2019) approving a framework for implementing the regulation.
The cynical might find some of the aims of the EU’s Cyber Security Act familiar - indeed, the first part of the plan is to give ENISA, the EU’s cyber security agency, responsibilities for supporting member states and EU institutions in very much the same way as the National Cyber Security Centre does in the UK. The second part of the EU scheme is to establish a new EU-wide certification framework for IT products, services and processes: “Certificates issued under the schemes will be valid in all EU countries, making it easier for users to gain confidence in the security of these technologies, and for companies to carry out their business across borders”, said the EU in a positioning statement.
Although the certification scheme will be voluntary, there will be three levels of security assurance: basic, substantial and high. “For the basic level, it will be possible for manufacturers or service providers to carry out the conformity assessment themselves,” stated the EU. However, the core requirements are consistent across the three levels are secure out of the box configuration, signed code, secure update and exploit mitigations and full stack/heap memory protections. Although initially voluntary, the Commission is required to evaluate by 2023 whether specific schemes should become mandatory for certain ICT products, services or processes.
While critics can point to the vagueness of the schemes announced so far, the fact that action on improving security has begun at a national and international level is encouraging. The problem is certainly not going away - indeed, the opposite is the case, with Gartner predicting 14.2 billion internet-connected devices in use worldwide by the end of 2019 - that’s a whole lot of unique passwords to get reset, for certain…