Eseye author

Eseye

IoT Hardware and Connectivity Specialists

LinkedIn

Whether intended for consumer or business use, IoT devices need to be mass produced, easy to set up, and able to work in a wide variety of environments and configurations. As a result, cybersecurity in IoT is often seen as a compromise in terms of cost, productivity, or convenience – a compromise not many manufacturers or enterprises are willing to take.

But while this has been the status quo for the early years of IoT adoption, regulators are catching on and new legislation coming into force in 2024 will force participants in the IoT ecosystem to take security seriously.

According to the IoT Security Foundation’s (IoTSF’s) “State of Vulnerability Disclosure Policy (VDP) Usage in Global Consumer IoT in 2023” report released in November 2023 and the sixth in a series, over 76% of device manufacturers do not have a vulnerability disclosure policy. In fact, of the 121 new device manufacturers added to the 2023 cohort, over 95% do not have such a policy.

Another recent survey, from Viakoo, found that 50% of companies have experienced an IoT cyber incident in the last 12 months, of which 44% were serious, and 22% threatened business operations.

The message coming through loud and clear is that not enough is being done by manufacturers or those companies deploying IoT projects with regards to security – an attitude the world’s regulators are no longer tolerating.  

The Product Security and Telecommunications Infrastructure (PSTI) Act, introduced in 2022, is a pivotal legislative framework designed to address the evolving landscape of digital security in IoT ecosystems in the UK. It came into power on April 29, 2024 and covers two important parts of legislation:

  • Part 1 of the Bill will require manufacturers, importers and distributors to comply with new security requirements relating to consumer connectable products.
  • Part 2 of the Bill will create an enforcement regime with civil and criminal sanctions aimed at preventing insecure products from being made available on the UK market.

Make no mistake, although there are references to ‘consumer IoT products’, all businesses in the IoT supply chain must ensure they are equipped to tackle potential security vulnerabilities and threats, and make certain their products meet the PSTI requirements.

Connected devices and IoT products must adhere to three security requirements:

  1. A unique password for every product
  2. Manufacturers to provide guidance on reporting product security issues
  3. Consumers to be made aware of minimum security update periods

More information about each of these can be found on the Gov.UK website.

Together the PSTI Act and PSTI Regulations work together to ensure that consumer-connectable products are more secure against cyber-attacks, protecting privacy and security.

The Government’s Office for Product Safety and Standards (OPSS) enforces the UK’s product safety regulations and aims to protect consumers and businesses alike from product-related harm. OPSS is authorized to take “appropriate and proportionate measures” against those that fail to comply with the PSTI Act 2022 and PSTI Regulations 2023.

Embedding security requirements into consumer IoT products is essential for protecting user privacy, ensuring data integrity, preventing unauthorized access, and maintaining consumer trust in an increasingly interconnected and vulnerable digital landscape.

In both consumer and business environments, this vast web of unsecured cloud-connected IoT and M2M devices significantly increases the risk surface of any organization, because unsecured devices all serve as jumping-off points for hackers, state-sponsored terrorists, and other threat actors to get access to much more sensitive parts of your infrastructure.

The security of IoT products is crucial for ten reasons:

Consumer IoT devices often collect and transmit sensitive personal information. Embedding security measures helps safeguard this data from unauthorized access, protecting user privacy.

Security requirements ensure the integrity of the data generated and transmitted by IoT devices. Tampering or unauthorized modifications can be prevented, maintaining the reliability of the information collected.

Many IoT devices, such as smart home devices or wearables, are interconnected, creating a potential attack path. Security measures prevent unauthorized access, reducing the risk of unauthorized control or manipulation of devices.

IoT devices are attractive targets for cybercriminals. Embedding security features helps protect against various cyber threats, including malware, ransomware, and distributed denial-of-service (DDoS) attacks, which could disrupt device functionality or compromise user data.

Some IoT devices, such as those used in healthcare or smart home security systems, may have direct implications for user safety. Ensuring the security of these devices is essential to prevent potential physical harm or unauthorized control. A compromised connected light bulb is a very different threat to an IoT-enabled insulin pump.

Security breaches can lead to a loss of consumer trust. By embedding robust security measures, manufacturers demonstrate a commitment to protecting their customers, which enhances brand reputation and consumer confidence.

Many regions have introduced regulations and standards related to IoT security. Complying with these requirements not only helps avoid legal consequences but also ensures that products meet industry standards for security. In the EU, the Cyber Resilience Act (CRA) is progressing into its final stages, and various cyber security frameworks in the US, such as National Institute of Standards and Technology (NIST), already recommend or mandate various security policies.

As IoT devices become more integrated into daily life, the longevity and success of these products depend on their ability to withstand evolving cybersecurity threats. Embedding security requirements helps future-proof products and ensures ongoing protection.

IoT devices are often connected to networks, and vulnerabilities in one device can potentially compromise the entire network. Implementing security measures in IoT products contributes to overall network security and prevents the spread of threats.

By integrating security features from the design stage, manufacturers can minimize the potential attack surface of the IoT devices. This involves reducing vulnerabilities and making it more challenging for malicious actors to exploit weaknesses.

Is your IoT PSTI-compliant?

Find out how to build cyber security resilience into your IoT products and comply with the PSTI Act and Regulations.

Download whitepaper
Eseye author

Eseye

IoT Hardware and Connectivity Specialists

LinkedIn

Eseye brings decades of end-to-end expertise to integrate and optimise IoT connectivity delivering near 100% uptime. From idea to implementation and beyond, we deliver lasting value from IoT. Nobody does IoT better.

Free IoT Device Assessment Speed up deployment with a free IoT device assessment.

Let our experts test your device for free. Receive a free SIM kit and speed up your IoT deployment with expert insights and seamless connectivity.