It’s not just the EU that’s working on a new set of rules for cybersecurity (see ENISA outlines new cybersecurity rules for service providers and OTTs). The UK’s DCMS (Department of for Culture, Media and Sport) has now outlined a set of proposals developed in conjunction with the UK’s National Cyber Security Centre (NCSC).

“Our new law will hold firms manufacturing and selling internet-connected devices to account and stop hackers threatening people’s privacy and safety,” said the Minister for Digital and Broadband Matt Warman.

The proposed legislation will require IoT devices sold in the UK to follow three rules:

  • Passwords must be unique and not resettable to a universal factory setting
  • Manufacturers of consumer IoT devices must provide a point of contact to make it easy for consumers to report vulnerabilities and these must be acted upon in a timely fashion
  • The minimum term for receiving security updates must be made clear to consumers at the point of sale – whether that’s in a store or online.

The proposed new regulations could ban devices from the UK that do not follow these principles.

This is not the first time the UK government has acted on IoT security though. In October 2018, it introduced the ‘Secure by Design Code of Practice’ for IoT developers, although this was a voluntary code that was unenforced.

This move signals several things. Firstly, it indicates that the UK intends to have a similar set of laws to those proposed by the EU going forward. In essence this is a piece of pro-UK, me-too PR following on from the ENISA announcements that says ‘we will have similar laws with or without the EU’. Secondly, it indicates that the UK government is well aware of increasing IoT adoption but also of IoT vulnerabilities. Finally, it shows that the government considers manufacturers and businesses supplying such devices and services to be responsible for ensuring their customers are safe and secure.

B2B service providers should consider their services in this area in light of both this announcement and that of ENISA. Fully managed services for IoT devices that ensure they function as intended, and remain both connected and secure is a promising area of future revenue generation, as is the ability to manage such provisions for smaller business customers. As the range and volume of devices increases, it will be increasingly difficult for smaller businesses and consumers to manage IoT connectivity and security themselves. In particular, ensuring devices remain connected and faults are fixed quickly is set to become an ever-more thorny issue. This makes fully managed IoT services attractive if provided at the right price.

Posted by Teresa Cottam

Teresa is the Chief Analyst at Omnisperience and has over 25 years' experience in the telecoms and technology markets. She is an expert on SME and enterprise telecoms, and has considerable vertical market expertise. Her research focus lies in helping B2B telecoms firms become more commercially successful by better understanding and meeting their customers' needs. She is a judge of the GSMA Global Mobile Awards (GloMo's) for customer experience and enterprise innovation, and for the UK Cloud awards. You can follow her on Twitter @teresacottam

4 Comments

  1. Security is essential and workable rules must be set in place. However, it would be a shame if smaller businesses and commuinity IOT groups such as ours in Brighton were forced out of IOT experimentation.

    Liked by 1 person

    Reply

  2. It’s an interesting conundrum – it’s sensible for government to want IoT device providers and businesses to ensure basic security arrangements, but you’re right in where does the line lay. If lay people and very small businesses are building or customising their devices then will there be the same expectations/rules as for very big firms. I guess asking you to have a unique password isn’t hard for you to comply with, but the proposed reporting arrangements might be. We must ensure that a benign set of rules doesn’t turn into an albatross around the necks of individuals and small community organisations because that would impede innovation.

    Like

    Reply

  3. […] Article: UK government moots new IoT rules […]

    Like

    Reply

Leave a Reply to Telecom Argentina will use Nokia for enterprise IoT support – Omnisperience Cancel reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s