Disappointing Results and the Enactment of the UK Product Security and Telecommunications Infrastructure Bill Means Firms Could Face Monetary Penalties for Non-Compliance.
The IoT Security Foundation has published its latest influential research report which monitors the security management behaviour of consumer IoT product companies.
The study reviewed the practice of 332 companies identified as selling IoT products for consumer and commercial uses such as appliances, routers, audio, smart home, lighting, mobile, tablets and laptops. This is the fifth published report in the series, plotting industry progress since 2018 with prior versions cited as evidence in global standards and regulatory processes. The desk-based research was carried out during the summer of 2022 by Copper Horse Ltd., who are experts in mobile and IoT security.
Key Findings
Vulnerability management is critical for connected product security and is widely accepted as a basic hygiene practice for vendors. It features in nearly 30 cybersecurity guidance initiatives [1], including IoTSF’s highly popular IoT Security Assurance Framework [2]. Easy reporting of security issues is therefore regarded as essential for security lifecycle maintenance.
Once again, the main finding is that vulnerability disclosure practice remains at a disappointingly low level. In 2018 we found that just 9.7% of firms in the study had a disclosure policy and in this latest report that number is just 27.1%. This is still far below the near-100% the researchers would like to see.
Whilst it is not always easy to determine the origin of products, the analysis also indicates the best-performing region to be Asia, with European suppliers trailing significantly behind (34.7% vs. 14.5% respectively).
Evolving Practice
The report was originally conceived to raise awareness of vulnerability management and the likelihood of legislation, and it has also served as an ongoing commentary on the evolution of industry practices. As part of the study the researchers identified increases in the use of the ‘/security’ contact page, the use of machine-readable ‘secuity.txt’ files and a small decline in PGP key usage for secure submissions. Two policy maintenance trends are also identified; a noticeable rise in the number of companies that are failing to keep their policies up to date and an increase in the number of companies using a third-party ‘proxy service’ to host and maintain their policies.
Regulation has arrived
As anticipated, the UK’s long-awaited Product Security and Telecoms Infrastructure (PSTI) Bill achieved Royal Assent on December 6th, 2022, meaning it is now law [3]. Within the legislation, there are responsibilities for manufacturers, importers, and distributors to provide a vulnerability disclosure policy [4]. This means that the 72.9% of companies identified in the report who do not have a policy, will be in breach of UK law.
John Moor, Managing Director of IoTSF said:
“Naturally it is disappointing to see so many consumer IoT companies still not taking basic steps to maintain their product security. IoTSF members are strong advocates for building secure IoT systems and we work together to help others by sharing knowledge and publishing how-to guides, for those in need – many resources are published for free. There is no excuse – good design and simple hygiene practices mean manufacturers can protect their customers cost-effectively.”
David Rogers, CEO of Copper Horse Ltd., said: “The overall picture remains shocking. If the adoption of vulnerability disclosure policies continues at the current rate, IoT manufacturers won’t be fully compliant until 2039! Even with the threat of incoming legislation, there is complacency in manufacturers that translates into an unacceptable risk for consumers when it comes to the security of IoT devices.”
HackerOne Inc., supported the creation of the 2022 report and Laurie Mercer, Senior Manager of Security Engineering said: “Knowing about security vulnerabilities within products and services through a Vulnerability Disclosure Policy (VDP) is an important way to identify and rectify them as part of the product security lifecycle. It’s a best practice that customers are increasingly looking for their supplier to adopt, but this research suggests it is not yet common practice. The fact that the UK has seen higher adoption speaks to the impact government legislation and policy can have on cybersecurity. Mandating VDPs is going to be the most effective way of ensuring consumer safety.”
Moor concluded with an optimistic outlook: “We should also praise those who made it their business to be on the 2022 green list and look forward to the next report, when we trust the legislation, with a possible penalty of up to £20,000 per day, will provide the necessary motivation to get off the red list of companies contained in the report.”
The report can be downloaded here. More reports from the IoTSF can be downloaded for free and without registration here.
[1] https://iotsecuritymapping.com/provision-2/[2] https://www.iotsecurityfoundation.org/best-practice-guidelines/[3] https://bills.parliament.uk/bills/3069[4] https://www.gov.uk/guidance/the-product-security-and-telecommunications-infrastructure-psti-bill-product-security-factsheet
