Legislating for Security in Consumer IoT

Copper Horse CEO, David Rogers discusses today’s UK government announcement on legislation for consumer IoT security.

Today marks another step along the road for IoT security – the teeth of legislation and regulation to deal with companies that do not implement security in their consumer IoT products. It is likely that the UK will become the first country in the world to legislate on IoT security.

In May 2019, the UK government launched a consultation into regulation for the security of consumer IoT. The consultation is now complete, with 49 responses and a decision to move ahead with legislating for the top 3 items from the Code of Practice for Consumer IoT Security and ETSI TS 103 645 (pdf). Work is ongoing to bring the ETSI TS to a full European Standard or EN – the draft EN is currently out for review (pdf) until the end of February with National Standards Organisations.

For everyone, the time to act is now

From a personal perspective, I really think this is a huge step. Over the past couple of years I’ve been privileged to work with a fantastic team at DCMS and the NCSC who have been really motivated to help people and understand the problem space. The consumer support for legislation is there and we know that security can be implemented by manufacturers because some companies are already doing it and the security technology is available to be used. We already knew what good looked like – we just wrote it down and prioritised it. What we’ve seen is support from a number of countries and organisations and a recognition that acting now to address the fundamental security concerns is the right way forward.

We also know to a certain extent what the real situation is like in the market. In 2018, we conducted research on behalf of the IoT Security Foundation which showed that fewer than 10% of the manufacturers we surveyed had any way for a security researcher to contact them. The results of our follow-up survey are out this quarter and will reflect a broadly similar situation. Security by design is a concept that some companies choose to ignore because they think that they can get away with it or it doesn’t matter. Well, if you want to ship products to the UK in the future, you had better get your act together pretty quickly.

Considerations

One of the things that I think we need to be aware of is the danger of penalising ‘good’ manufacturers, rather than the rogue ones. I’ve seen this before with work I’ve done against counterfeit and so-called ‘sub-standard’ electronic products. Some measures that are proposed against counterfeit only increase the cost for the ones who will abide by the rules anyway, while the rogue ones get away with continuing to do nothing. In this case, I think we have the balance right. The measures being put forward are a foundational baseline, these are things that are really fundamental, but if not implemented can cause huge consumer harm. Default passwords in consumer devices in this day and age are well, pretty stupid when there are better, safer alternatives for enrolling users to devices and for initiating products from factory defaults. What we’re also asking for is transparency:

  • in access – for security researchers who want to report vulnerabilities to manufacturers easily and;
  • about the minimum length of time that devices will get security updates.

Both of these areas will serve to demonstrate a responsible, public commitment by manufacturers to addressing and resolving discovered security issues. Primarily, manufacturers should be honest towards consumers.

Last year when we created our mapping website, https://iotsecuritymapping.uk , we set out to both help manufacturers to understand how the UK’s Code of Practice mapped to the existing body of work and guidance on IoT security and privacy but also to provide some reassurance that what we were saying was not unusual – in fact, there was a broad consensus on what we were recommending, the fragmentation was really just in the semantics of how documentation from across the world was written. We made that available as open data precisely to help in the process of defragmentation and facilitation of common understanding. The decision by DCMS to translate the Code of Practice into multiple languages reduced the barrier to entry and understanding and acknowledged the truly global nature of both the electronics and software supply chain as well as the designers, security experts and security researchers across the world.

Next steps

The next few months are going to be hard work. My own anxiety is that there will also always be edge cases – those points at which adjustments need to be made or possibly where we haven’t considered certain use cases. I’m certain that the team working on it are conscientious and will work to understand manufacturer concerns and the feedback from the public consultation. Ultimately in all of this, we have had a choice – sit on our hands and wait for things to get worse or get on do something and make the world a safer place. We chose action over procrastination.

More reading on this topic:

Mapping New IoT Security Recommendations

In late 2018, to coincide with the launch of the UK’s Code of Practice for Consumer IoT Security we launched a website: iotsecuritymapping.uk which mapped IoT recommendations and standards from around the world. Our previous blog explains more of the detail. Earlier this year, we updated the site to include the European Telecommunications Standards Institute (ETSI) Technical Specification, TS 103 645 (pdf) which originated from the Code of Practice.

Today we have launched an updated version of the mapping site which stretches the landscape further with a number of new recommendations from around the world. These have either been sent to us as a result of people hearing about the original mapping work or work that we’ve seen launched since then.

The Windsor landscape towards the Copper Horse

The following additional recommendations are added, from all over the globe including Japan, South Korea and the USA:

Some recommendations we looked at had been updated, but these were either minor editorial changes or had changes not relevant to mapping against the Code of Practice, in these cases, the mapping was not updated.

Updating the External References

One useful thing we created last time was a mapping of external references from the recommendations – it is quite useful to understand where things are happening, which bodies are at least judged to be the most relevant. We’ve further updated this and it is no surprise that organisations like the IETF with massive contribution from industry are the most referenced and essentially used while other organisations like the ITU who try and lay claim to IoT are hardly referenced. We believe this work is the first time that any organisation has attempted to lay out these relationships, to break open the marketing hyperbole with real, factual data.

What are we observing and what does it mean?

There is a broad consensus on what needs to be done in IoT security, which is quite nice to see. Pretty much everyone who is looking at the problem is saying the same thing in different ways. The consumer space seems to be a common starting point because that is where the problem is most visible, but clearly the majority of this work provides a common foundation which is applicable across all IoT ‘verticals’ from industrial IoT, to connected cars.

There are differences in the level of abstraction in recommendations – some are very detailed, others at a high level. This is not a massive problem, it is just that more detailed and specific recommendations can be a real barrier to adoption. It can also affect innovation because detailed specifications tend to deal with the status quo of what exists now. They fail to consider or accommodate the possibility that someone could create something securely without doing exactly what has been put into a bit-level recommendation or standard. It can also affect organisations implementing security in the first place because detailed specifications look daunting. A high level recommendation is easier to access and implement (within the spirit of what is being asked), however it suffers from the fact that people could pay lip service to it or that more detail may be necessary to stop people doing something insecure. We need to find a happy medium between the two approaches for real security success in such a varied market as IoT.

The gaps between the specifications are going to get interesting – where is there divergence and why is that? This looks to be a key piece of work for the future and we may explore that in the coming year.

Keeping the site updated

We’ll keep updating the mapping site until there is a natural end. There is work ongoing which will rationalise these efforts at an international standards level. Once that has happened and there is consensus, we’ll have hopefully achieved what we set out to do – unification and defragmentation of IoT security; at least for the fundamental foundations. We hope you find the latest update useful and do please keep sending your feedback to us.

Mapping IoT Security and Privacy Recommendations and Guidance

 

The UK’s work on consumer IoT security and privacy, led by the Department for Digital, Culture, Media & Sport (DCMS) has been continuing since the publication of its work on Secure by Design and the Code of Practice for Consumer IoT Security went out for public comment in March 2018. Our team has been working on mapping IoT security and privacy guidance to the Code of Practice and we’re now launching https://iotsecuritymapping.uk to support the initiative, including hosting open data files with all the various mappings contained within.

 

 

We believe this is going to be really helpful for so many companies and organisations involved in IoT. It will help to defragment the standards space and it will help companies to understand how to improve security by telling them which recommendations facilitate implementation of the UK’s Code of Practice.

 

You can read our CEO’s blog on this topic here.