Cyber security and the Internet of things: UK Government’s secure by design principles for manufacturers and others

United KingdomScotland

In March 2018, the UK Government, in collaboration with the National Cyber Security Centre and a range of stakeholders, including industry, academia and consumer bodies, published a report on “Secure by Design: Improving the cyber security of consumer Internet of Things”. The report advocates a “fundamental shift” in the approach to security for Internet of things (“IoT”) devices and associated services, by moving the burden away from consumers having to secure their IoT devices and instead requiring that manufacturers and others in the IoT value chain build strong cyber security into such devices by design.

A number of the recommendations are closely aligned with the requirements of the EU’s Generation Data Protection Regulation (“GDPR”) and the UK’s new Data Protection Act 2018 (“DPA 2018”), both of which began to apply on 25 May 2018. It remains to be seen how exactly the UK’s data protection authority (the Information Commissioner’s Office (“ICO”)) will enforce the new legislation, particularly in the IoT context. But it’s clear that, when designing IoT products, stakeholders would be wise to implement the recommended guidelines to the maximum extent possible to demonstrate that they are taking privacy and cyber security seriously.

To read the Government’s press release and for access to the full report, click here.

Background

IoT is the term commonly used to describe the growing body of products that are able to interact with each other and with their users by being connected to the Internet. Examples include smart home devices, wearable tech and connected vehicles. The number and type of IoT devices and associated services are growing rapidly, with forecasts suggesting that there will be approximately twenty billion IoT devices worldwide by 2020[i] and that the number of these devices per UK household could rise from approximately ten to fifteen over the same period[ii].

The Government recognises the potential of IoT devices and has made it clear that as part of its Digital Strategy it wants to enhance the UK’s status in the development and uptake of IoT. However, it is also concerned to ensure that increased connectivity via the IoT does not compromise individual consumer privacy, safety and security, or increase the risk of large-scale cyber attacks impacting the wider economy. This is the focus of the Government’s IoT report.

Draft Code of Practice for consumer IoT

At the crux of the report is a draft Code of Practice, which is intended to apply to the following types of IoT stakeholders:

  1. Device manufacturers: Organisations that create an assembled final Internet-connected product (which may comprise the products of other manufacturers);
  2. IoT service providers: Organisations that provide services such as networks, cloud storage and data transfer which are incorporated into, or offered as part of, IoT devices;
  3. Mobile application developers: Organisations that develop and provide applications which run on mobile devices, which are often used to interact with IoT devices; and
  4. Retailers: The sellers of IoT devices and associated services to consumers.

It recommends thirteen practical guidelines for improving cyber security, the first three of which the Government stresses need to be addressed as a matter of priority by IoT stakeholders:

  1. No default passwords: All IoT device passwords must be unique and not resettable to any universal factory default value. The report provides that this guideline primarily applies to device manufacturers;
  2. Implement a vulnerability disclosure policy: All organisations that provide Internet-connected devices and services must provide a public point of contact as part of a vulnerability disclosure policy in order that security researchers and others are able to report issues. Disclosed vulnerabilities should be acted on in a timely manner. This primarily applies to device manufacturers, IoT service providers and mobile application developers; and
  3. Keep software updated: All software components in Internet-connected devices should be securely updateable. Updates must be timely and must not impact on the functioning of the device. An end-of-life policy must be published for end-point devices which explicitly states the minimum length of time for which a device will receive software updates and the reasons why. The need for each update should be made clear to consumers and an update should be easy to implement. For constrained devices that cannot physically be updated, the device should be isolatable and replaceable. This primarily applies to device manufacturers, IoT service providers and mobile application developers.

In addition to these three high-priority guidelines, IoT stakeholders are expected to securely store credentials and other sensitive data, minimise exposed attack surfaces and make installation and maintenance of devices easy for consumers. The report also proposes the development of a product labelling scheme so consumers can easily understand the security features of an IoT device at the point of purchase.

Personal data is at the heart of two of the guidelines in the draft Code of Practice (numbers 8 and 11). These emphasise the importance of ensuring that IoT devices and associated services comply with applicable data protection law to the extent that they collect and process personal data. Device manufacturers and IoT service providers must provide transparent information to consumers about how their data are used, by whom and for what purposes, for each device and service. This also applies to any third parties that may be involved, including advertisers. Devices and services should also be configured in such a way that personal data can easily be deleted upon request by a consumer, and device manufacturers, IoT service providers and mobile application developers are all expect to provide clear instructions to consumers on how they can do this. The guidelines therefore clearly emphasise the importance of the GDPR and DPA 2018 in relation to IoT devices, especially as regards “data protection by design and by default”, security of processing personal data collected through such devices, and the information notice and other data subject rights requirements.

Spotlight on connected vehicles

The draft Code of Practice is part of a broader set of Government initiatives designed to encourage responsible innovation through the IoT and other digital technologies. For example, last year the Government announced a three-year £30 million UK IoT Programme, which includes the Cityverve smart cities demonstrator in Manchester, showing how IoT technologies and services can improve local services. The impact of the guidelines on smart cities and smart mobility more generally will be particularly interesting to watch. As vehicles and the surrounding transport infrastructure become increasingly connected, the risk of hacking and security breaches becomes an ever more pressing concern. This is particularly stark in this context, as it could lead not only to personal data being compromised, but also to lives being put at risk. Consequently, there is an increasing need for stakeholders in the automotive industry to work in close collaboration with Government to ensure that cyber security is prioritised as automotive IoT technologies advance.

Next steps

The Government is seeking input from industry and other key stakeholders to refine the draft Code of Practice ahead of publication of a final version in summer 2018. Following this, the Government has said it will release supporting documentation to aid implementation, including a compliance framework setting out the practical measures needed to adhere to the guidelines within the Code of Practice for every part of the IoT device lifecycle.

The Government hopes that the Code of Practice will incentivise industry to incorporate more robust cyber security into the design of IoT devices and associated services voluntarily, and it seems a good first step in encouraging IoT stakeholders to prioritise cyber security to an appropriate extent. However, the Government has said that if adequate cyber security is not adopted, and quickly, it will consider making the guidelines compulsory through law. It will review progress through 2018 and we look forward to updating our readers on this, as well as developments in relation to the enforcement of the GDPR and DPA 2018, during the course of the year.

[i] Gartner report on scale of connected devices by 2020, 2017: https://www.gartner.com/newsroom/id/3598917. This figure excludes smartphones, tablets and computers.

[ii] WRAP report ‘Smart Devices and Secure Data Eradication’, 2016: http://www.wrap.org.uk/sites/files/wrap/Data Eradication report Defra.pdf