Skip to main content

UK Bill Signals Growing Awareness of IoT Security Risks

Awareness and concern over security implications associated with the flood of connected devices hitting the market is growing worldwide, and governments are taking notice. Here in the U.S., it started after it was discovered that internet-connected security cameras made in China, and in common use at Department of Defense facilities, were sending data back to their manufacturers. That prompted Congress to take targeted action prohibiting the purchase of communications gear made in China. The Secure Equipment Act of 2021 was signed into law on November 11, 2021. 

But unsecure IoT and Internet-connected devices aren’t a problem limited to products made overseas. The journal EE Times recently reported that the security of connected devices is a major concern, and that manufacturers of such products are not reporting known issues and vulnerabilities with their goods.

New UK Bill Aims to Protect Consumers

Now, a new law being considered in the UK seems intended to protect consumers from the threats associated with unsecure connected devices.  The Product Security and Telecommunications Infrastructure (PSTI) Bill is expected to become law sometime in 2022 and would establish new rules for Internet-connected devices made and marketed to consumers. PSTI would prohibit universal default passwords, ensure transparency related to known security flaws and what actions are being taken to mitigate them, and require the creation of better public reporting systems for discovered vulnerabilities. 

Industry research, current events, and laws like PSTI show that personal and enterprise security have never been more vulnerable and intertwined. Vulnerabilities in Internet-connected devices don’t just put consumer data at risk, but also put corporate and government enterprise integrity in jeopardy. While PSTI is focused on the consumer-grade IoT market, we know many such devices make their way onto corporate and government networks. 

Consumer Devices are Connecting to Commercial, Government Networks

Ordr’s own research (Rise of the Machines 2021: State of Connected devices — IT, IoT, IoMT and OT) has found devices like Pelotons, Sonos and Alexas, Kegerators, and many more unmanaged, consumer devices connected to corporate networks and healthcare environments—often for legitimate purposes and operations. Alexa devices, for instance, are being used as substitutes for the nurse call button, turning on lights and TVs with a voice command. Pelotons are being adopted for physical therapy. Imagine if those devices were to become compromised after connecting to a hospital’s IT infrastructure. 

In Ordr’s view, legislation like PTSI should be expanded to cover an even broader array of devices, including those designed specifically for the enterprise as well as the consumer. Enterprise devices, and even medical devices, share many of the same vulnerabilities. Instead of merely requiring transparency, PTSI should mandate designing security into IoT products, ensuring secure protocols and technologies are used for key functions. 

More Awareness, Security Needed

PTSI will help make consumer devices safer, but beyond safer passwords and vulnerability management, organizations still need to consider additional security best practices, such as:

  • Maintaining a real-time inventory of devices: You can’t protect what you don’t know about. Security starts with real-time visibility of exactly what you have in your network and how those components are communicating in the network. 
  • Monitoring device behaviors for suspicious communications: Devices have deterministic functions. By using machine learning to baseline what behaviors are normal, you can then identify abnormal device behavior that may be an early indication of an attack.
  • Tracking who is using your devices: By tracking and associating devices to users, you can identify compromised devices and also potential account misuse.  
  • Implementing Zero Trust segmentation for vulnerable devices that cannot be patched: Zero Trust segmentation policies can keep these devices in operations by allowing “normal communications” required for its function, while limiting exposure. 

We believe PSTI is a good start, but much more remains to be done to make all internet-connected devices, and the people and organizations that use and rely on them, safe.

About the Author

Danelle Au has more than 20 years of experience bringing new technologies to market. Prior to Ordr, she was CMO at Blue Hexagon, a deep learning for malware protection company, and CMO at SafeBreach where she helped build the marketing organization and and define the Breach and Attack Simulation category. Previously, she led strategy and marketing at Adallom, a cloud security company acquired by Microsoft. She was also Director, Security Solutions at Palo Alto Networks, driving growth in critical IT initiatives like virtualization, network segmentation and mobility. Danelle was co-founder of a high-speed networking chipset startup, co-author of an IP Communications Book and holds 2 U.S. Patents. She has an MSEE from UC Berkeley

Profile Photo of Danelle Au