UK must lead not lag in IoT Security Regulations

By Darron Antill, CEO of Device Authority

The global proliferation of connected devices over the coming years is expected to reach 27billion by 2025, accounting for 50% of all internet connections, yet this is only the tip of the iceberg in terms of the potential of IoT at scale.  It is widely reported that security is a significant barrier to the adoption of IoT and it is no surprise that we have seen Global Governments introducing increased regulation and compliance to address this, albeit slowly.

From Europe’s WP.29 standard for the Automotive sector and Biden’s 2021 Executive Order and Software Bill of Materials designed to protect critical infrastructure, Governments have realised the need to address the security of connected devices at Enterprise level, to protect national infrastructure, companies and customers from the threat of cyber-attack and allow businesses to adopt IoT technology with minimised risk.

In a similar vein, the PSTI Bill in the Queen’s speech this week requires device manufacturers to refrain from using default passwords, reveal when security updates will be provided and also introduces the mandatory disclosure of known vulnerabilities. However the NCSC has acknowledged that this doesn’t necessarily go far enough for IoT at Enterprise level where the threat landscape is more complex and, as a result, has released a new Enterprise-focused Device Security Principles Framework to tackle this.  It includes a move away from the traditional network perimeter to zero trust and the detecting of compromise through device health – both good and important steps forward for IoT Security, with enhanced deployment and management of machine identities sitting at the heart of zero trust architecture

Whilst the NCSC has set out its advice to device manufacturers to enable them to meet these guidelines and has also set about ‘comparing the principles against international frameworks and standards’, the success of the PSTI Bill lies in the strength of its enforcement and it is important to note that the NCSC’s Enterprise- focused guidelines are not mandated and rely on companies adopting them voluntarily and largely in pursuit of commercial advantage.

It could also be argued that the UK’s regulations fall short of some other Global regulations.  Take the mandatory disclosure of vulnerabilities by device manufacturers as an example – this will undoubtedly leave customers better informed and able to take action in order to protect themselves however it is lacking when compared to the US Software Bill of Materials which requires device manufacturers to have an SBOM, a full software inventory which will allow transparency in the supply chain and allow them to identify vulnerabilities and in turn alert customers.  When you couple this with data assurance hubs such as RKVST and our own KeyScaler identity access management platform, continuous automated checks against that SBOM can be made and potentially compromised devices can automatically be placed in quarantine until vulnerabilities are addressed – a vital function when considering the importance of IoT operations in MedTech and connected devices for example.

As we live in an increasingly globally connected world, it seems obvious that a Global mandated standard of IoT security should be our aim if we are to truly be able to harness the capabilities of this technology. Europe is currently lagging behind other areas in terms of its adoption of IoT, with 57% of businesses utilising IoT solutions in comparison to 68% in North America and 75% in APAC and the impact of regulations in these countries in driving IoT adoption cannot be underestimated. This is precisely the reason why the UK should be leading in this area and not playing catch up. The PSTI Bill is a good start but there is a long way to go to the level of regulation needed to bring trust to IoT at Scale.