UK Considers New Enterprise IoT Security Law

Posted on by Admin
UK Considers New Enterprise IoT Security Law

Related Post


The UK government has issued a Call for Views on proposed “policy interventions” designed to improve the security of enterprise IoT products, after new research revealed glaring vulnerabilities in many devices.

The Department for Science, Innovation and Technology (DSIT) commissioned NCC Group to test a range of components: a “high-end” and “low-end” camera, VoIP device, meeting room panel and NAS device.

It found a total of 50 issues, including one rated critical and nine high severity. Among its general findings were:

  • Several “serious” remote code execution (RCE) vulnerabilities which could have enabled an unauthenticated attacker to gain full control of a device
  • Outdated software across multiple devices, including one bootloader that was over 15 years old
  • Most devices could have enabled an attacker with physical access to fully compromise and install a persistent backdoor 
  • Most devices ran all processes as a “root” user, potentially giving an attacker unrestricted access or control of a device
  • Insecure configuration of services, applications or features
  • Mixed compliance with the NCSC’s Device Security Principles and the ETSI EN 303 645 standard

Read more on IoT security: Half of IT Leaders Identify IoT as Security Weak Point.

The government is therefore keen to improve baseline security across enterprise IoT devices sold in the UK, as it did for consumer devices via its Product Security and Telecommunications Infrastructure (PSTI) Act.

“We must now act to ensure that connected devices used in a business context are also afforded better protection throughout their lifecycles,” said AI and digital government minister, Feryal Clark.

“I am therefore pleased to announce this call for views on the Cyber Security of Enterprise Connected Devices. The government is proposing a two-part intervention, including the publication of a code of practice and several policy interventions that are being considered to boost uptake of important security requirements.”

Three Proposals for More Secure IoT Devices

The code of practice will be based on an “11 principles” guidance document co-authored by the National Cyber Security Centre (NCSC) and DSIT in 2022.

Following disappointing take up of its key elements, the government wants to improve industry engagement by implementing some or all of the following:

  • A voluntary pledge that manufacturers of enterprise connected devices could sign up to, in order to improve the security of their products and show IT buyers they are a trusted brand
  • A new global standard based on the Code of Practice for Enterprise Connected Device Security, which would build on existing standards for consumer IoT devices. This could “increase trust and confidence in a manufacturer’s devices and provide coherent security protections across international markets,” according to the government
  • Legislation to enshrine the code’s principles into law, potentially by updating and broadening the PSTI Act

“Unlike consumers, businesses have a greater capability to ensure that important security mitigations are in place, such as having dedicated staff to ensure that security updates are promptly rolled out to fix issues and a greater understanding of their network,” DSIT noted.

“We will therefore consider placing specific obligations on businesses and other end users to take specific actions.”



Source link

Leave a Comment