The Government proposes a two-part approach to improving the cyber security of enterprise connected devices, also known as the Internet of Things (IoT). The Department for Science, Innovation and Technology (DSIT) has made a ‘call for views‘ on the subject, which runs until July 7.
Subject to feedback, DSIT proposes that its approach ‘will involve finalising and publishing the Code of Practice for Enterprise Connected Device Security and then taking steps to introduce either a voluntary pledge, developing an international standard, and/or developing new legislation, subject to Parliamentary approval’.
In a foreword to the ‘call for views’ document, DSIT minister for AI and digital government Feryal Clark says that everything from the office printer to the conference tables can connect to an organisation’s network or to the internet. “It is vital that we unlock the power of these devices across the whole economy and enable businesses to continue to benefit from the increased productivity and efficiency they offer. The growth of the connected device market is undeniable,” she says.
Such connected devices remain a hugely attractive target for cyber criminals, she adds; ‘and our adversaries as many of these devices have limited security features built in, making them an easy target’. In April 2024, the UK’s product security regulatory regime came into force, mandating baseline cyber security requirements for “consumer connectable product”, as under the Product Security and Telecommunications Infrastructure Act 2022.
As for the threats to IoT, the document points to ‘significant shortcomings in the security of some connected devices on the market, at all price points’. Security remains an afterthought for some UK businesses buying connected devices, by not requiring any security or procurement checks.
Global standard
DSIT is proposing a global standard based on the Code of Practice for Enterprise Connected Device Security, for manufacturers and governments to set ‘a baseline level of cyber security’. ETSI EN 303 645, is a European standard for Cyber Security for Consumer Internet of Things: Baseline Requirements; and the international standards body ISO has a draft standard 27402. As for the merits of making anything voluntary into law, the document notes that ‘given the global nature of supply chains, it can be difficult to influence the market to improve the cyber security of devices from the design stage and maintain security throughout a device’s lifecycle’; although DSIT will ‘consider placing specific obligations on businesses’.
For the ‘call for views’, visit the DSIT website.
