UK launches first IoT security law

UK launches first IoT security law is profiled by BTW Media because published evidence links it to internet infrastructure, governance, operational dependencies, or market visibility.

• The UK has become the first country to legally mandate cybersecurity standards for IoT devices. The new laws, which came into force on April 29, aim to shield consumers from cyber threats and boost the nation’s resilience against rising cybercrime.
• Manufacturers are required to build security protections and hard-to-crack passwords, publish vulnerability disclosure policies for reporting security flaws, state minimum periods for providing security updates and provide mechanisms for securely updating software.
• The automotive industry was not included in the new regime and the government is now pursuing alternative cybersecurity regulations specific to internet-connected vehicles.

The Product Security and Telecommunications Infrastructure (PSTI) of the United Kingdom has introduced the world’s first law to legally mandate cybersecurity standards for IoT devices, aiming to shield consumers from cyber threats and boost the nation’s resilience against rising cybercrime.

The new laws, which came into force this Monday, require manufacturers to build security protections into any product with internet connectivity, such as prohibiting easy-to-guess passwords on IoT devices, like “admin” or “12345”.

Also read: What is the most prevalent cyber threat from IoT devices?

Also read: What are two major concerns regarding IoT devices?

The urgent protection of household IoT devices

Manufacturers are also required by the new regime to publish vulnerability disclosure policies for reporting security flaws, state minimum periods for providing security updates and provide mechanisms for securely updating software.

“From today, consumers will have greater peace of mind that their smart devices are protected from cyber criminals, as we introduce world-first laws that will make sure their personal privacy, data, and finances are safe,” stated Viscount Camrose, Minister for Cyber.

The urgency for such protections is clear. According to a consumer advocacy group, a typical smart home could face over 12,000 hacking attempts in a week, with nearly 2,700 attempts to guess weak passwords on just five devices. Attacks like the devastating 2016 Mirai botnet incident were also a wake-up call.

The cybersecurity standards are part of the UK’s £2.6 billion National Cyber Strategy. They reflect the government’s commitment to making Britain the world’s safest place for online activities as cyber threats rise alongside IoT adoption rates.

“Businesses have a major role in protecting the public by ensuring smart products provide ongoing protection against cyber-attacks,” said Sarah Lyons, Deputy Director for Economy and Society at the The National Cyber Security Centre. “This landmark Act will help consumers make informed decisions.”

While the automotive industry was initially included, the government is now pursuing alternative cybersecurity regulations specific to internet-connected vehicles.