In January 2020, new legislation was proposed in the UK to improve the security standards of internet-connected household devices. The goal was to protect millions of users of IoT devices from the threat of cyber attacks.
- The plans were drawn up by the Department for Digital, Culture, Media, and Sport (DCMS) to ensure all smart consumer devices sold in the UK adhere to the strict security requirements for the IoT.
- All internet-connected device passwords have to be unique and not resettable to any universal factory setting.
- Manufacturers of consumer IoT devices have to provide a public point of contact so anyone can report a vulnerability which will be followed by prompt action.
- Manufacturers of consumer IoT devices have to explicitly state the minimum length of time for which the IoT device will get security updates at the point of sale, either online or in-store.
- The measures were created with input from industry and the UK's National Cyber Security Center. The DCMS stated they would set new standards for best practice requirements for those who produce and sell IoT devices to consumers.
- The legislation builds on a voluntary Secure by Design code of practice for consumer IoT devices, which the UK government had first introduced in 2018. The code is the first of its kind and sets the standard for stronger security measures to be designed into IoT products.
- The UK government is working with international partners to ensure that the guidelines drive a consistent, global approach to IoT security, which includes a partnership with standards bodies.
- The UK government's goal is to develop such legislation that protects consumers more effectively, is easily implemented by consumers, and still supports the long-term growth of the IoT.
- The law builds on a series of steps. They include the publication of a code of practice for device-makers and the development of an international standard for IoT security.
- The standard has been approved by the industry association, the Cybersecurity Tech Accord (CTA), and is being used in, among other places, Singapore, Australia, Finland, and India.
Additionally, three new voluntary assurance schemes have been launched early this year to give consumers confidence that a smart product has been made secure:
- The Stockport-based Internet of Toys Assurance Scheme, which allows parents to know whether a smart toy they are buying for their children has been tested and meets the minimum security requirements;
- The Smart TV Cybersecurity Certification program, which provides third-party testing and gives confidence to consumers of smart TV products by allowing approved devices to show a certification logo;
- The IASME IoT Security Assured initiative will be open to start-ups and smaller IoT developers to carry out verified cyber security self-assessment of their products to ensure they meet high standards.