Black Arrow Cyber Insight 30 April 2024 – UK’s New IoT Legislation Aiming to Protect Consumers From Cyber Attacks Comes in to Force
Executive summary
The UK Government has released new legislation to protect consumers from cyber criminals.
The regime comprises of two pieces of legislation:
Part 1 of the Product Security and Telecommunications Infrastructure (PSTI) Act 2022; and
The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023.
Now that this new legislation is in force, the UK’s consumer connectable product security regime will be enforced, aiming to protect consumers against hacking and cyber attacks. This regulation sets out the minimum-security standards that all IoT (Internet of Things) devices are now legally obliged to meet.
What are the security requirements?
The regulations set out specific requirements that the relevant people, manufacturer, importer and distributor of the products have to follow:
1. Passwords must be unique per the product. This includes banning common and easily guessable passwords for example admin or 12345 to prevent vulnerabilities and hacking.
2. The manufacturer must provide clear and transparent information on how to report security issues about their product. Manufacturers are also obligated to provide information on timescales of acknowledging, reporting and updating the status of security issues to the consumer until they have been resolved.
3. The manufacturers and retailers must publish to consumers in a clear and accessible way, the minimum time they can expect to receive important security updates. This information should be available without prior request in English and free of charge.
While these security requirements demonstrate the seriousness in which the Government regards cyber security, they should not be relied upon alone and organisations ensure they are employing their own controls such as changing default passwords, performing vulnerability scanning and conducting timely patch management. Effective cyber security requires multiple layers of defence
The official UK Government legislation can be found below:
Need help understanding your gaps, or just want some advice? Get in touch with us.
#threatadvisory #threatintelligence #cybersecurity