Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Sunday, 29 January, 2023
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

UK Government Introduces PTSI Bill to better secure IoT devices

The UK has introduced the Product Security and Telecommunications Infrastructure (PSTI) bill which promises to protect IoT devices

by The Gurus
November 26, 2021
in Editor's News, Features
AT&T Cybersecurity grows SASE offering by adding Palo Alto Networks
Share on FacebookShare on Twitter

This week, the UK government has put forward the Product Security and Telecommunications Infrastructure (PSTI) Bill to Parliament with the aim to secure everyday consumers from IoT threats, particularly with the rise in adoption of internet-facing devices. 

The Bill will introduce new cybersecurity standards that manufacturers of IoT devices must follow – these include those that also distribute and import phones, TVs, fitness devices and other handheld devices.  

The legislation will also mandate that all devices that have the capabilities to connect to other devices without the need for the internet, like smart light bulbs and smart thermostats. 

It will also ban the use of universal default passwords, requiring manufacturers to be clear about their processes when fixing security vulnerabilities while also creating a better framework for external parties to report issues. Manufacturers will also be responsible to investigate and manage any compliance failures. 

If found non-compliant of these rules then the regulator, which will be newly formed, has the power to apply heavy fines of up to £10m of 4% of their global turnover, as well as up to £20,000 a day in the case of an ongoing contravention.  

The bill has been largely welcomed by the cybersecurity sector with the following experts providing their thoughts: 

Trevor Morgan, product manager at comforte AG: 

“The UK’s proposed legislation to protect consumers’ connected homes and smart devices should be welcomed by the general public. Does it solve every issue with consumer-focused cyber-crime? No, but it makes significant headway toward raising peoples’ attentions to the ever-present dangers posed by threat actors. Default passwords, for example, only encourage people to use devices without first changing to a stronger and more secure password, creating a wide-open vector for cyber-criminals to attempt to gain entry. Nobody should miss default passwords! Overall, anything like this proposed UK legislation that institutes common sense rules for vendors to follow and that makes people more aware of and engaged in cyber-security is a welcome step toward a safer and more secure digital home.”
 

Eoin Keary, CEO and founder of Edgescan:  

“This is great news. It may not address the tens of millions of devices out there, but it’s a positive step in the right direction. Automated attacks use dictionaries of default passwords once a device and version is identified, resulting in attacks that are very cheap and easy to mount.  

Some firms such as Netgear have been implementing stronger security controls for some time, and have done so by setting the password as a random word + a random integer  (e.g. kitchn3789, annimal59838 etc) – a default/factory set  password which is different to all other devices.

An alternative solution is to deploy multi factor authentication (MFA) which prevents password guessing attacks. However, MFA is often not suitable for many IoT devices due to the friction it causes for end users.” 

Andy Norton, cyber risk officer at Armis: 

“There are other UK initiatives and laws in various countries that attempt to specify design principles that would reduce the risk of a cyber breach, such as the requirement to remove default credentials from the manufacturing process. However, legislation can only do so much. What will essentially happen is that the attack surface for consumers is going to dramatically expand as cybercriminals figure out many new opportunities to extort or steal from all these new devices.  

To combat this threat, some are suggesting a neighbourhood watch approach for IoT devices, something that can tell when your device starts acting strangely compared to its previous activity and compared to the activity of other similar devices. This form of cyber burglar alarm service will be discretionary but also vital as no one expects the average person to patch a toaster or create firewall rules for the doorbell.” 

John Goodacre – Director of UKRI’s Digital Security by Design and Professor of computer architectures at the University of Manchester:   

“Technology is relied upon by nearly everyone in today’s society in all aspects of our day to day lives. It reaches our children’s toys, our in home entertainment systems, speakers and of course our smartphones. This policy provides a basis for the security requirements of those goods to be considered by manufacturers and distributors of goods. However, the policy accepts that vulnerabilities can still exist in even the best protected consumer technologies with security researchers regularly identifying security flaws in products. In today’s world, we can only continue to patch these vulnerabilities once they are found, putting a plaster over the wound once damage may have already been done. Further initiatives are needed for technology to block such wounds from happening at the foundational level. One such initiative, funded by the UK Government through UK Research and Innovation is the Digital Security by Design Programme. Working with Industry and Academia, the programme aims to limit the impact of these vulnerabilities by taking the next step to cyber security by strengthening the hardware foundation on which software runs.”

Javvad Malik, lead security awareness advocate at KnowBe4:

In recent years IoT and smart devices have flooded both organisations and individuals homes. But the security on these devices often falls woefully short of expectations. Poor authentication such as default or hard-coded passwords is a common occurrence, which makes it trivial for attackers to take control of these devices. 
We’ve seen many instances where attackers have gained access to smart devices ranging from CCTV, baby monitors, toys, doorbells etc. Such access can be used to spy, cause distress, or recruit devices into a botnet to launch DDoS attacks such as we saw with Mirai. 
The new legislation to ban default passwords is a small, but extremely significant first step towards ensuring better security of IoT devices. Hopefully this will raise the profile of security amongst IoT vendors and encourage them to include more robust security measures when designing new products.
FacebookTweetLinkedIn
Tags: CyberIoTsecurity
ShareTweetShare
Previous Post

FBI warns consumers about Black Friday and holiday shopping scams

Next Post

Most Inspiring Women in Cyber 2021: Bindu Sundaresan, Director at AT&T Cybersecurity 

Recent News

Data Privacy Day: Securing your data with a password manager

Data Privacy Day: Securing your data with a password manager

January 27, 2023
#MIWIC2022: Carole Embling, Metro Bank

#MIWIC2022: Carole Embling, Metro Bank

January 26, 2023
Lupovis eliminates false positive security alerts for security analysts and MSSPs

Lupovis eliminates false positive security alerts for security analysts and MSSPs

January 26, 2023
Threat actors launch one malicious attack every minute

Threat actors launch one malicious attack every minute

January 25, 2023

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information