Last December, the UK passed the Product Security and Telecommunications Infrastructure Act 2022. The first part of this legislation will help ensure that all consumer smart products have good security and the second part relates to electronic communications infrastructure. We explore the connection between Internet connected products, or Internet of things (IoT), device security and the building of 5G infrastructure. There is huge growth in the importance of IoT devices in people’s lives along with the need to be connected at all times.
What is 5G?
5G is the fifth generation of mobile wireless communication technology being rolled out across the world. China, South Korea and the US lead the way in building and deploying 5G networks, while the UK’s four major mobile networks (EE, O2, Three and Vodafone) as well as Sky Mobile have all launched their networks in most major cities with further plans to expand.
5G technology launched in the second half of 2019 and is the successor to the 4G standard. The upgrade is significant, with features such as higher multi-Gbps peak data speeds, ultra-low latency, massive network capacity, more reliability and increased availability.
How will 5G change our lives?
While 5G deployment today is primarily focused on providing additional network capacity in densely populated areas, in the longer term, 5G will play a central role in the smart and connected cities and towns of the future. It has the potential to enable innovative services in manufacturing and logistics, transport and agriculture as well as enhancing the delivery of public services across healthcare and education.
Latency: 5G networks can respond to commands in just 1ms, making the technology ideal for mission-critical and real-time applications.
Low latency means that the time needed for data to travel across the network is very much reduced. It is one of the big attractions of 5G and a major factor necessary for automated processes, such as self-driving cars and factory robots.
Speed: The average speed for 4G systems is 60Mbps. However, 5G networks offer speeds of around 200Mbps and up to 1Gbps, with greater capacity and much lesser lag than 4G.
In addition to the high-speed, lag free connections and virtually seamless user experience, the interconnected world of internet of things (IoT) will also benefit from the flexibility of the 5G network. 5G mobile carriers will be able to implement network segmentation to create multiple virtual networks with different connectivity sizes, adapting to the connection needs of different users. This ‘network slicing’ can provide each user the bandwidth, speed and latency they need to carry out their activities, optimising functionality, performance and overall costs.
Remote IoT sensors used for smart cities might only need a low-bandwidth slice, whereas things like remote factory processes or remote surgery may need a high-reliability, higher bandwidth slice. It means that network connectivity can be given to IoT devices at a reasonable cost.
Capacity: 5G networks offer significantly greater capacity than the earlier systems, across a broader frequency spectrum. A typical 5G system supports a 100-fold increase in capacity and efficiency as compared to 4G networks.
5G will drive the explosion of IoT connected devices. According to Statista, the number of IoT devices worldwide is forecast to almost triple from 9.7 billion in 2020 to more than 29 billion IoT devices in 2030.
The incredible business and of course, financial opportunities presented by 5G technology is creating somewhat of a rush to deployment. Unfortunately, security is not always baked into the design, meaning that the linked devices, machines, wearables, drones, city infrastructure, and autonomous vehicles will store and transmit sensitive personal data on a scale that could be difficult to secure.
Smarter cyber security solutions will be needed for the network itself and for devices connecting to 5G.
Increased attack surface
A network’s attack surface is the total number of access points that can be exploited by a cyber-criminal.
5G will enable huge growth of IoT sensors and devices in remote locations. The increased attack surface of 5G networks puts it at risk from Distributed Denial of Service (DDoS) attacks in particular. The purpose of a Distributed denial-of-service (DDoS) attack is to overload a network, a system or website to take it offline.
When a system is run on a network of sub-millisecond connection, attackers with little resources and expertise are able to launch attacks on networks much more easily.
Many IoT devices are manufactured with a lack of security features. They are being sold with default passwords, no capability to update or apply security patches and ports that are open. Untrusted, counterfeit, or insecure components may be introduced within a supply chain without detection. As billions of devices with varied security are being encouraged to connect, it will create billions of possible breach points which will increase the threat of compromised network infrastructures affecting end-user devices.
Incentives for manufacturers to build in security
IoT security is only as strong as its weakest links and there are plenty of cheap, low-end IoT products on the market such as baby monitors and children’s toys that connect to the internet with no security features. They provide criminals with an access point to the device and to the network it is connected to.
Previous to the recent UK law passed to mandate basic security features in IoT devices, consumer connectable products were required to meet certain safety standards. Despite guidance set out in the leading global technical standard in IoT security, ETSI EN 303 645, many IoT product manufacturers failed to prioritise security and the risk to consumers persisted.
The first part of the Product Security and Telecommunications Infrastructure Act 2022 covers the following three main security features:
- Consumer IoT devices will not be allowed to have universal default passwords.
This makes it easier for consumers to configure their devices securely to prevent them being hacked by cyber criminals.
- Consumer IoT devices will have to have a vulnerability disclosure policy
This means manufacturers must have a plan for how to deal with weaknesses in software which means it’s more likely that such weaknesses will be addressed properly.
- Consumer IoT devices will need to disclose how long they will receive software updates.
This means that software updates are created and released to maintain the security of the device throughout its declared lifespan.
Consumer education on IoT cybersecurity
Consumers are being advised to take security and privacy into their own hands as much as possible. The wide variation in security quality means product labelling standards are needed to help customers choose a secure device.
Cyber security certification for IoT devices
In response to a growing need for manufacturers and retailers to demonstrate good security practice associated with IoT devices, IASME operates a well-regarded certification scheme which provides manufacturers with support to improve the security of their devices and then certify their achievement. Certification to this scheme demonstrates compliance with UK legislation and a commitment to best practice security. The scheme has been designed to be affordable and achievable by even the smallest of manufacturers which enables small, innovative companies to be part of the market.
Compliant products receive a certification badge which can be displayed on product packaging and marketing to allow purchasers to verify the security of the device.
The IASME IoT Cyber scheme certifies internet connected devices against the new UK legislation at the Baseline level and covers the top three requirements of the ETSI EN 303 645 standard.
The scheme also allows manufacturers to take the next step to certify against all of the provisions in the ETSI EN 303 645 standard at the Assurance level. It is also mapped to the IoTSF Security Compliance Framework. Certification guards against the exploitation of common IoT cyber security vulnerabilities such as weak passwords, legacy software and insecure communications.
Two levels of assurance
The scheme is available as Level 1 which consists of a verified-assessment, reviewed by an independent expert.
For greater assurance, the scheme is also available as Level 2 which includes an audit via third-party testing and independent certification.
For more information about the IASME Cyber scheme, contact certification manager, Jason Blake [email protected]