UK Considers New Enterprise IoT Security Legislation

The UK government has initiated a Call for Views in response to a newly released study highlighting significant security vulnerabilities within enterprise Internet of Things (IoT) products. This initiative is intended to explore potential policy interventions that can enhance the security of these devices.

Commissioned by the Department for Science, Innovation and Technology (DSIT), the research conducted by NCC Group evaluated a selection of devices, including a high-end and low-end camera, a Voice over IP (VoIP) device, a meeting room panel, and a Network Attached Storage (NAS) device. The findings revealed 50 distinct issues, among which one was classified as critical and nine rated as high severity.

Key findings include:

– Several serious remote code execution (RCE) vulnerabilities that could potentially allow an unauthorized attacker to take total control of a device.
– The presence of outdated software in multiple devices, with one bootloader being over 15 years old.
– A majority of devices were susceptible to complete compromise through physical access, allowing an attacker to install a persistent backdoor.
– Most devices executed processes as a root user, which could grant an attacker unrestricted access.
– Insecure configurations of various services, applications, or features were noted.
– Variability in compliance with the National Cyber Security Centre (NCSC) Device Security Principles and the ETSI EN 303 645 standard.

Consequently, the UK government is striving to enhance the baseline security for enterprise IoT devices sold within the country, mirroring the legislative actions taken for consumer devices under the Product Security and Telecommunications Infrastructure (PSTI) Act.

“We must now act to ensure that connected devices used in a business context are also afforded better protection throughout their lifecycles,” stated AI and digital government minister, Feryal Clark. “I am therefore pleased to announce this call for views on the Cyber Security of Enterprise Connected Devices. The government is proposing a two-part intervention, which will include the publication of a code of practice and several policy interventions designed to encourage compliance with critical security requirements.”

Proposed Enhancements for IoT Security

The forthcoming code of practice will be informed by an “11 principles” guidance document developed by the NCSC and DSIT in 2022. To address the lackluster adoption of its key elements, the government is contemplating the implementation of one or more of the following measures:

– A voluntary pledge for manufacturers of enterprise-connected devices that enhances their commitment to improving security and demonstrates their trustworthiness to IT buyers.
– A new global standard designed around the Code of Practice for Enterprise Connected Device Security, potentially enhancing trust and coherence in security protocols across international markets.
– Legislation that would codify the principles outlined in the code, potentially through the extension of the PSTI Act.

The DSIT acknowledged the fact that, unlike consumers, businesses are better equipped to implement essential security measures. “We will therefore consider placing specific obligations on businesses and other end users to take specific actions,” they stated.

These proposed actions signify a crucial step toward establishing improved security frameworks for enterprise IoT, which are increasingly becoming integral components in the operational landscapes of businesses. By engaging manufacturers and encouraging adherence to heightened security standards, the government aims to mitigate risks associated with IoT devices proactively.