UK government publishes new IoT security legislation proposals

The UK Department for Digital, Culture, Media & Sport and the National Cyber Security Centre (NCSC) published a call for views on the government proposal to regulate the security of IoT devices for consumers. 

According to the proposal, IoT products should follow three requirements: (1) device passwords must be unique and not resettable to any universal factory setting; (2) manufacturers must provide a public point of contact so anyone can report a vulnerability and (3) information about the minimum length of time for which the device will receive security updates must be provided to customers. The proposal details the products which would not be included within this legislative framework because they are covered or will be covered by alternative regulation. These are products such as smart metering devices that require Commercial Product Assurance (CPA), electric vehicles, and medical devices (includes In Vitro Diagnostic Devices and Active implantables). 

The security requirements relate mostly to IoT devices manufacturers within the UK and the importers of such products. However, according to the proposal, distributors would also be required not to sell, supply, or make available products if they are not compliant with the defined security requirements. The proposal also deals with designating a regulator and defining measures and sanctions to be taken against those who supply or make available faulty products. The responses for this call should be submitted until 6 September 2020. 

This call follows the government’s response to the regulatory proposals for consumer Internet of Things (IoT) security consultation from last January.