QuoStar’s Head of Security and resident CISO David Clarke shares his views on the new piece of legislation to protect the consumer – The Product Security and Telecommunications Infrastructure (PSTI) Bill.
“The Product Security and Telecommunications Infrastructure (PSTI) Bill supports the rollout of future-proof, gigabit-capable broadband and 5G networks, and better protects citizens, networks and infrastructure against the harms enabled through insecure consumer connectable products.” [Department for Digital, Culture, Media & Sport, 24 November 2021]
This is a very interesting piece of legislation as the “Product Security Measures” apply to manufacturers, importers, and distributors in the supply chain for consumer connectable products.
“A consumer connectable product is an internet-connectable or network-connectable product.” [Department for Digital, Culture, Media & Sport, 24 November 2021]
The PSTI Bill
The government has stated that the security requirements will apply in relation to products including:
- Connected cameras, TVs, and speakers
- Smartphones
- Connected children’s toys and baby monitors
- Connected safety-relevant products such as smoke detectors and door locks
- Internet of Things base stations and hubs to which multiple devices connect
- Wearable connected fitness trackers
- Outdoor leisure products, such as handheld connected GPS devices that are not wearables
- Connected home automation and alarm systems
- Connected appliances, such as washing machines and fridges
- Smart home assistants
The security requirements, to be set out in regulations, will:
- Ban default passwords
- Require products to have a vulnerability disclosure policy
- Require transparency about the length of time for which the product will receive important security updates.
The scale of devices with weak security is absolutely huge, Kaspersky research says there were 1.5 billion attacks against IoT (Internet of Things) products in the first 6 months of 2021.
As we speak (7th December 2021) more than 300 SPAR convenience stores across the UK have either had to revert to cash-only payments – or shut altogether – following a cyber-attack that has meant all point of sale devices have had to be taken offline, meaning the stores are unable to take card payments. It’s not the first time a European supermarket has been caught up in a supply chain attack this year. Sweden’s Coop stores were all hit with REvil ransomware in July this year, as a consequence of the Kaseya breach.
Ban Default Passwords
The question is, will this legislation make a difference? Removing default passwords will of course make a huge difference, yes. And no. It may just delay the inevitable. Will the devices have to have a standard for passwords e.g. minimum length or complexity? Will the device have a lock out period e.g.10 fails and you are locked out? If not, enumeration software will eventually crack the password.
Vulnerability disclosure
Good idea in principle, the difficulty will be whether these devices will auto update as it may be unlikely many users will have the technical capability to do it themselves.
Important security updates
If security updates are available for 2 years, similar to the average Android phone, what happens then? Will the consumers be alerted when the end of the 2 years is up? Will this then become part of built-in obsolescence, so new phones, doorbells, fitness wearables, washing machines need to be bought new again probably every 2 years.
“Ensure that consumer connectable products, such as smart TVs, internet-connectable cameras and speakers, are more secure against cyber-attacks, protecting individual privacy and security” [Department for Digital, Culture, Media & Sport, 24 November 2021]
This would seem to indicate that if there is damage to an individual’s privacy, there could be a group action against the TV manufacturer, importer, distributor, and manufacturers.
Should these devices go through a form of accredited security testing? In business-to-business relationships, there is usually a requirement that all systems should be updated within 14 days and be in support by the vendor.
In the age of Teleworking would the “work” supply chain be fully in scope? Home routers should not use a default password, and all software/firmware under the legislation must be in support by the vendor. Should smart speakers be updated? The doorbell, fish tank thermometer, alarm system, Wi-Fi Garden lighting? These could all potentially be in scope, especially where someone works from home, as a vulnerability for the corporate workspace.
Just one vulnerable point can allow criminals into a network.
In 2018, attackers were able to compromise a connected thermometer in a fish tank that had a default password. The fish tank was in the lobby of a US casino, and attackers used this vulnerability to enter the network and access sensitive details, such as bank details.
It’s very difficult to ensure that every link in the chain has appropriate cyber security measures in place and it only takes one vulnerable point to allow criminals into a network. Once they’re in, the knock-on effects can be catastrophic.
This is a step in right direction, but how do we manage the consequences, and will enforcement be likely?
Even in the Code of Practice for Consumer IoT Security there is some mention about encryption and cryptographic keys, but it’s not very detailed. Without encryption how will personal data and passwords be stored on IoT devices?
Hopefully, this will be the start of safer online world. Although is it enough? Probably not at this stage.
Will there now be a possibility of a class action against a device manufacturer for privacy infractions? Does this mean that the device manufacturer, importer, distributor could inadvertently (under GDPR) become a data controller if they are responsible or partly responsible for a breach? The bill raises more questions than it answers in the long term.
At QuoStar we manage these types of issues for corporate clients regularly. Patch management, passwords, release management and regular upgrades as well as containing systems and devices that cannot be upgraded, so they need to be contained and segregated with special security layers.
Optimising manufacturing operations isn’t always easy, but it can be achieved with the right IT Solutions.
Manufacturing businesses are typically the best at seeking out efficiency and productivity in their operations, particularly on the shop-floor. However, many still do not apply the same LEAN principles to the rest of their operations, and that can mean the optimisation of processes is more challenging because of a lack of consistency throughout the business.
Systems and process analysis, and automation can be used throughout an organisation to drive down inefficiencies. IT is certainly an enabler of an efficient and well-performing optimisation.
As QuoStar’s Robert Rutherford was recently quoted in the Manufacturer: “Finance operations, for example, are often very bloated, but IT can facilitate outsourcing or offshoring, not only reducing costs but also allowing the process to become quickly automated to a good extent.”
What types of IT solutions and services can help with Optimising manufacturing operations?
Historically, manufacturers were always at the forefront of technology. This has in many ways meant that they experienced the falls and disappointments that come with testing cutting edge solutions. However, technology systems have also been driving results for manufacturers in some areas – such as IoT, cloud services and CRM.
Internet of Things (IoT)
The Internet of Things (IoT) has certainly given advantage to manufacturers both on the shop-floor and within their products on customer sites – by helping in support and maintenance, but also in querying big data for insights and value. It’s driving decisions around productivity, wastage and research & development to deliver wins across the board.
Cloud Services
Cloud services are also still extremely valuable to manufacturers. Although many still keep heavy processing in a private cloud, the public cloud (particularly AWS and Azure) allows operations and development to flex, trial and scale-up (and scale-out) without the traditional costs and complexities of big kit in the server room. The pandemic has heavily accelerated change. Customers have demanded faster innovation, more data and information, greater integration, and increased security.
CRMs
CRM systems have moved on significantly and its greatly improving the service manufacturers are able to deliver to customers, whether it is on managing expectations, delivering value or collecting relevant information. They can also drive an increase in sales in terms of new business wins, cross-sales and real-engagement with marketing automation.
Big CRM projects were historically associated with large capex costs. However, now they virtually all come in a cloud-based delivery model on a price per user basis.
Digital Transformation Road Mapping & IT Consultancy
QuoStar specialise in IT solutions. We can help with Digital Transformation Road mapping, as well as offering IT Consultancy services. Don’t with QuoStar you also have access to a CIO Service too!