Cybersecurity of consumer smart devices takes centre stage post-pandemic
by Alex Rennie on 03 Jun 2021
The Internet of Things (IoT) was already expected to change the way we live and work long before COVID-19 began spreading around the globe in late 2019. After a year in which human to human contact has been necessarily constrained, contact between all manner of devices has become more important than ever. A growing amount of economic activity is taking place remotely, and whilst some of this may shift back to an “offline” mode once the pandemic recedes, the move towards a greater dependence on internet connected devices long predates the pandemic, and so will almost certainly outlast it.
The pandemic has given a boost to telemedicine, with an increased use of IoT devices, in the form of smart wearables and sensors, to monitor high risk patients remotely. Greater working from home is likely to increase demand for IoT devices that can track and monitor employees’ output, or that can improve their productivity. Retail is another area ripe for IoT disruption, with Amazon launching in London its first cashier-free store outside the US in March 2021.
As more and more vital activity becomes dependent on smart devices, the question of cybersecurity is likely to grow in salience. The EU’s recent Cybersecurity Act notes:
“Digitisation and connectivity are becoming core features in an ever growing number of products and services and with the advent of the internet of Things (IoT) an extremely high number of connected digital devices are expected to be deployed across the Union during the next decade. While an increasing number of devices is connected to the internet, security and resilience are not sufficiently built in by design, leading to insufficient cybersecurity.”
Policymakers in both the UK and the EU had begun considering this question already. Here is the latest state of play:
The UK Government’s recent Queen’s Speech contained a commitment to introduce the Product Security and Telecommunications Infrastructure Bill in this Parliamentary session. This legislation will put into law the proposals to regulate the cyber security of consumer smart products outlined by the Department for Digital, Culture, Media and Sport (DCMS) in its response to a consultation on the issue. Under the proposals, all consumer network-connectable devices and their associated services will need to comply with three new security requirements. These are: a ban on universal default passwords; a vulnerability disclosure policy to allow any security issues to be reported in an accessible way; and a requirement to provide transparency, at the point of sale, regarding the minimum amount of time during which a product will receive security upgrades. These new rules will apply to almost all IoT products, from smart TVs to connected appliances to wearable health trackers. The new law will place obligations on manufacturers and distributors, enforced by a body with powers to impose a range of sanctions, including criminal prosecution. The Government is also clear that it plans to update cybersecurity requirements for such products more frequently and to adjust the scope of the legislation as the regulatory, technological and risk landscape changes, so companies making smart consumer devices will need to contend with more frequent regulatory changes.
Products not covered by these plans, such as medical devices or electric vehicles, are out of scope either because they are already covered by similar regulations, or soon will be. Smart medical devices, for example, are governed by the Medical Devices Regulations 2002, which provides for a system of medical device conformity assessment. The Medicines and Medical Devices Act 2021 will allow the 2002 Regulations to be updated to impose new obligations on the manufacture, marketing and supply of medical devices. As more and more patients with long-term conditions are monitored remotely in their homes via smart sensors and medical devices, it will now be easier for the Government to update cybersecurity requirements for such devices as the technology develops.
The proposed updates to cybersecurity requirements for smart consumer products are the latest in a succession of recent policy initiatives led by DCMS on this issue. The Department began working with the UK National Cyber Security Centre on the issue back in 2018, when it produced a Code of Practice for Consumer Internet of Things Security. It provides thirteen sets of guidelines for parties involved in the development, manufacture, and retail of consumer IoT to ensure that IoT devices are secure by design. The Government expressed its disappointment with industry’s take up of the code, however, noting that “poor security” is still “commonplace.” It is for this reason that the Government decided to move ahead with further legislation, and we can expect that preference for new regulations to be repeated as more and more devices are connected to the internet.
The UK Government supports the development of the first industry standard on consumer smart product security. ETSI European Standard 303 645, published in June 2020, establishes a security baseline for consumer IoT devices. It is based on the UK Government’s Code of Practice but tailored for European and global industry needs. The standard provides a basis for future Internet of Things product certification schemes, making new standards more likely.
To encourage uptake of the Code of Practice and the new ETSI standard, the Department for Digital, Culture, Media and Sport also launched a grant programme for consumer IoT assurance schemes, which provided eligible organisations with funding to set up such schemes. The successful applicants explore different aspects of the consumer IoT landscape: The Internet of Toys Assurance Scheme, Smart TV Cyber Security Assurance, and IASME IoT Security Assured, based on self-assessment. Similar schemes are possible in future.
The Council of the European Union adopted conclusions on the cybersecurity of connected devices on 2 December 2020, which noted that smart devices will play a “key role in further shaping Europe’s digital future, and so will their security.” The conclusions also stressed the need to consider whether horizontal legislation will be required in the long term to address the cybersecurity of IoT devices, addressing issues such as availability, integrity, confidentiality.
Several existing pieces of legislation on cybersecurity, however, cover at least some IoT devices. The European Electronic Communications Code defines machine to machine communication as an electronic communication and contains certain provisions on encryption standards which IoT devices have to follow. Member States were required to update their national regulations to reflect the new Code before the end of 2020. The Code is not prescriptive, however, and it is up to the manufacturer to determine standards.
The Cybersecurity Act, meanwhile, provides for an EU-wide cybersecurity certification framework for digital products, services, and processes, including IoT products. The framework will create schemes for a specific ICT-based product or service, with each scheme specifying: the categories of products and services covered; the cybersecurity requirements, such as standards or technical specifications; the type of evaluation, such as self-assessment or third party; and the intended level of assurance. The Act means that there is now a common cybersecurity certification approach in the European internal market for IoT products. It also gives a permanent mandate to ENISA, the EU cybersecurity agency, and grants it the responsibility for preparing the technical ground for specific certification schemes and of informing the public on those schemes.
More recently, the EU adopted its Cybersecurity Strategy in the Digital Decade on 16 December 2020, which envisages “an evolutionary path towards a widespread Internet of Secure Things.” High cyber security standards for connected devices is a key component of the strategy, and the overall objective of the strategy is to prevent a single badly protected object becoming a single point of failure. A new Joint Cyber Unit will work to protect the EU from cyber attacks, whilst a network of AI-enabled Security Operations Centres called the European Cyber Shield will be developed to detect signs of cyberattack and enable preventive action before damage occurs.
The Commission has also, via its Horizon 2020 research programme, provided funding for secure solutions for the Internet of Things. A cluster of eight research projects has been developing modular frameworks that can be deployed and integrated into new and existing solutions for a broad range of application areas including assisted living, healthcare, manufacturing, food supply, energy, and transportation. These modular frameworks are intended to be reused and integrated in other solutions for a broader spectrum of possible applications.
The latest figures show that 49% of UK residents have purchased a smart device since the start of the COVID-19 pandemic, with the average UK household owning over nine such devices in 2020. This offers great socioeconomic opportunity, but as the number of connected devices rises, so will regulatory and legislative action to protect those opportunities from cybersecurity risks. It is time for IoT businesses to engage with policymakers.
Written by Alex Rennie
Alex provides political analysis and monitoring for clients in the emerging technology sector, with a particular focus on drones.