How Could Your Business Benefit from the Government’s New Legislation on IoT Security

How Could Your Business Benefit from the Government’s New Legislation on IoT Security

As businesses increasingly integrate Internet of Things (IoT) technology into their operations, the security of these devices and the privacy expectations this security is designed to meet have become important concerns for businesses to wrestle with. This is a global challenge but here in the UK new legislation, set to come into effect on 29 April 2024, is being introduced to help safeguard against the inherent vulnerabilities of IoT technology – the Product Security and Telecommunications Infrastructure (PSTI) Act.

This article will take a look at what is being done to improve IoT security in the UK, the vulnerabilities of IoT devices and the things we can all do to meet best practices in this arena.

Why is IoT Security so Important Today?

Our shared race towards interconnectivity is creating opportunity and risk in equal measures. The potential for security breaches through IoT devices poses a real threat to the operational integrity and privacy of all businesses, no matter their sector. From smart office systems to connected manufacturing equipment, the proliferation of IoT devices has unlocked new efficiencies and capabilities, but with this advancement has come heightened risks of cyberattacks, data breaches, and unauthorised surveillance, making robust security measures a non-negotiable aspect of IoT technology management.

Privacy concerns stem from the potential for IoT devices to collect, store, and transmit personal information and this has led to a groundswell of determination to create legislation that would mitigate these risks.

A Few of the Vulnerability Risks in Play

To explore the specific vulnerabilities we’re referring to, here is a little list. It’s not likely to be a complete one, but it may provide context and help you to consider what should be included within the IoT security measures your organisation has in place:

• Weak Passwords: Often security is all about keeping those without authorisation out of systems they should not be in. Maintaining a strong, monitored and regularly stress-tested password protocol within your organisation is a good starting point.
• Insecure Network Services: Devices that run unnecessary or insecure network services, especially those exposed to the Internet, run the risk of compromising the confidentiality, integrity, or availability of information.
• Insecure Ecosystem Interfaces: Device integrity can be compromised by weak web, backend API, and cloud or mobile interface security.
• Lack of a Secure Update Mechanism: Devices with insufficient firmware validation pose a risk as known security flaws could be exploited by those looking to gain unauthorised access.
• Insufficient Privacy Protection: Inadequate storage or processing of user personal information can lead to it being accessed and used to action a breach.
• Insecure Data Transfer and Storage: Insufficient encryption or access control for sensitive data – whether at rest, in transit, or during processing – can jeopardise data integrity and confidentiality.
• Lack of Adequate Device Management: Insufficient management of devices during updates or secure decommissioning can leave systems vulnerable to unauthorised access and surveillance.
• Insecure Communications: Data transmissions between devices without encryption are susceptible to interception, potentially exposing sensitive information.
• Lack of IoT Security Updates: When devices go without timely security updates, they will be more vulnerable to attack from known security flaws.
• Insufficient Authentication and Password Hygiene: Inadequate measures to verify user identities can allow unauthorised access to IoT endpoints and systems.

IoT Security Breach Examples

It can be easy to create a false sense of security, believing that your organisation has done enough to protect itself from the vulnerabilities of IoT devices, but IoT security issues can strike any business at any time so here are a couple of examples to highlight this.

1. Critical Infrastructure as a Target: In August 2022, South Staffordshire PLC notified its customers that it had been a target of a cyberattack. According to ITPro, the CI0p ransomware group was behind this breach. The group claims to have had access to all the water supplier’s systems, including those used to manage the industrial process, but in the end are said to have taken 5TB of data, publishing some of it on the group’s blog and demanding money for its return.
2. Smart Buildings as a Target: In 2020, CPO Magazine reported that hackers were beginning to ‘hijack’ smart building access control systems to ‘recruit those IoT devices into botnets for launching DDoS attacks’ (distributed denial of service). Vulnerabilities in Linear eMergeTM E3 systems developed by Nortek Security & Control were brought to light in 2019, and one of these vulnerabilities in particular was identified as being exploited here. Hackers were able to obtain default passwords and identify exposed systems to facilitate their attacks. With an estimate of 75 billion IoT devices in circulation by 2025, it’s thought that this is just the start of something far more concerning.

UK Legislation Aimed at Improving IoT Security

The Product Security and Telecommunications Infrastructure (PSTI) Act was designed to be an extension to the Government’s Code of Practice for Consumer IoT Security, initially published in 2018, which offered numerous practical guidelines to IoT device manufacturers on how to develop more secure technologies to counter the increased threat to security posed by these devices.

From the end of April, the PSTI will require manufacturers of IoT devices (or ‘smart’ products) to comply with certain minimum-security requirements which:

1. Ensures that the IoT technologies that businesses buy are freer from inherent vulnerabilities
2. Requires manufacturers to be more transparent about their security features, allowing businesses to make more informed procurement decisions.
3. Obliges manufacturers to release regular updates to patch vulnerabilities.
4. Encourages manufacturers to build security into the design of their IoT devices.

The PSTI Act will not only lay down stringent security requirements for IoT products, but it will also establish clear responsibilities for manufacturers, importers, and distributors. By mandating unique passwords, ensuring transparency about security updates, and requiring a mechanism for reporting security vulnerabilities, the Government aims to set a new standard for IoT security to keep up with changes in the popularity and use of these devices.

This move towards a more regulated IoT landscape signals a pivotal shift in how businesses must approach the integration of these technologies. Understanding the regulatory approach to IoT security and privacy and how to identify and mitigate risks will allow some to leverage the full potential of IoT innovations, which are guaranteed to come thick and fast in the coming years.

Changes You Can Implement Today

Knowing the problems, weaknesses and vulnerabilities of IoT devices is a good starting point, but we thought we’d share a few best practices as well so you can get a little more value from this article:

1. Conduct Regular Security Audits: Periodically review and audit the security settings and configurations of IoT devices to ensure they adhere to the company’s security policies and standards.
2. Always Change Default Passwords: Never allow devices to remain on their default passwords as they are easily guessable and pose a significant security risk.
3. Regularly Update/Patch Devices: Ensure that all IoT devices are protected from known vulnerabilities with the latest security updates from the manufacturer.
4. Secure Network Segmentation: Separate IoT devices from critical business networks to minimise the risk of a compromised device being used as an access point to the wider network.
5. Enable Two-Factor Authentication (2FA): Add an extra layer of security by enabling two-factor authentication for all IoT device access, where available.
6. Manage Access Controls: Limit device access to the employees who need it and ensure access for ex-employees is removed in a timely manner to minimise the potential for damage from insider threats.
7. Vulnerability Oversight: Employ a robust vulnerability management process to identify, assess, prioritise, and address vulnerabilities within the IoT ecosystem.
8. Secure Wireless Networks: Ensure that wireless networks used by IoT devices are secure by employing strong encryption protocols and regularly changing your wi-fi network passwords.
9. Educate and Train Staff: Employees should be provided with awareness training on the security risks associated with IoT devices and best practices for mitigating these risks.
10. Develop a Robust IoT Security Policy: Formulate a specific security policy for IoT devices that outlines procedures for installation, maintenance, and decommissioning of devices, including how to respond to security incidents involving IoT technology.
11. Seek External Support and Expertise: Whether you require guidance at a strategic level or in the implementation and oversight of your organisation’s IoT security there are certainly times when having a dedicated team of cybersecurity specialists at your side to augment your team’s capacity and skills will come in use.

Conclusion

The Product Security and Telecommunications Infrastructure (PSTI) Act represents an important step in the UK’s efforts to mitigate the risks of an ever-expanding, interconnected digital landscape by establishing a legal framework for IoT security at a manufacturing level. However, compliance with legislation and adherence to best practices remain shared responsibilities between those who create the devices and those who use them.

The need for vigilance is paramount, so businesses today must be proactive in their efforts to set in place informed security policies and, of course, ensure that they are understood and adhered to in order to protect the organisation from the ever-present threat of a catastrophic cyberattack. The benefits, even the necessity, of keeping up with the IoT revolution are clear, but all that you look to gain through this could come crashing down if innovation does not go hand-in-hand with rigorous attention to IoT security.

For more information on IoT Security contact Assembly Managed Services.

Telephone: +44 (0)20 3795 6880

Have you enjoyed this blog? If so, why not share it on your preferred social media platform?