The UK Government has been proactive in addressing IoT security risks publishing the Secure by Design report in March of 2018 and introducing a Code of Practice for consumer IoT security. Peter Groucutt, managing director of Databarracks, argues that the only way to sufficiently address the issue of IoT security is to legislate.
“The UK Government has already made good progress in bridging the IoT security gap. The content, guidelines and recommendations in its Code of Practice for IoT consumer use are excellent. It addresses the most fundamental cyber security practices in order of criticality and importance. But the scheme doesn’t prohibit non-compliance, and is limited to consumer use. In light of this, we should set a positive example by enforcing minimum security standards for all use of IoT.
“Our lack of regulation means we see instances as serious as insecure children’s smartwatches. The Code of Practice will be adhered to by the diligent parties in the IoT supply chain, but it won’t prevent less committed companies favouring profit over security and pushing insecure products to market. The same company that produced these smartwatches was also found to be making insecure video baby monitors earlier previously.”
Groucutt continues: “The Code of Practice is currently only for consumer devices such as health trackers, smart home assistants and children’s toys and monitors. We recommend extending this reach as IoT devices aren’t just limited to the consumer world. Increasingly, we see them on corporate networks, which are only as strong as their weakest links. For example, research by Princeton University recently warned about vulnerabilities to national power grids stemming from networked home devices, such as TVs and fridges. We advocate making the Code legally enforceable which is thankfully something the government is already considering and is an approach supported by several cyber experts.
“There is the argument that government interference might limit the UK’s ability to compete with other less regulated markets. But device security is now so fundamental that better regulation could be a competitive advantage and differentiation point for our manufacturers, service providers, developers and retailers.” concludes Groucutt.