Software & Technology
CONNECTABLE PRODUCT SECURITY REGIME
The Product Security and Telecommunications Infrastructure Act 2022 received Royal Assent on 6th December 2022 and was enacted into law . The government have now announced that companies have a period of a year to implement the changes put forth in the legislation , with compliance required by 29th April 2024 .
» THIS LAW APPLIES TO ALL CONsumer IoT products , including but not limited to :
• connected safety-relevant products such as smoke detectors and door locks
• connected home automation and alarm systems
• Internet of Things base stations and hubs to which multiple devices connect
• smart home assistants
• smartphones
• connected cameras
• connected fridges , washers , freezers , coffee machines
Consumer connectable products , such as those listed above offer huge benefits for people and businesses to live better connected lives with a lower carbon footprint . It is a rapidly growing area of emerging technology : forecasts suggest that there could be up to 50 billion connectable products worldwide by 2030 , and on average there are nine in each UK household .
However , the adoption of cyber security requirements within these products is poor , and while only 1 in 5 manufacturers embed basic security requirements in consumer connectable products , consumers overwhelmingly assume these products are secure . However , whilst connectable consumer products have previously had to comply with existing regulation to ensure that they will not directly cause physical harm from issues such as overheating , environmental damage or electrical interference , they have not been regulated to protect consumers from cyber harm such as loss of privacy and personal data . To close this regulatory gap , the Product Security and Telecommunications Infrastructure Act 2022 has now been enacted into law .
The Product Security and Telecommunications Infrastructure Act 2022 requires manufacturers , importers and distributors to ensure that minimum security requirements are met in relation to consumer connectable products that are available to consumers and provides a robust regulatory framework that can adapt and remain effective in the face of rapid technological advancement , the evolving techniques employed by malicious actors , and the broader international regulatory landscape .
Secure Connected Device accreditation for IoT products
The national police security initiative , Secured by Design ( SBD ), launched the Secure Connected Device accreditation scheme in 2022 in response to the pending legislation , coupled with a growing demand from industry and current members seeking to gain SBD accreditation for IoT products .
The SBD Secure Connected Device accreditation scheme , developed in consultation with the Department for Digital , Culture , Media & Sport ( DCMS ), helps companies to get their products appropriately assessed against all 13 provisions of the ETSI EN 303 645 standard , a requirement that goes beyond the Government ’ s legislation so that companies can not only demonstrate their compliance with the legislation but protects them , their products and customers .
The SBD Secure Connected Device IoT Assessment identifies the level of risk associated with an IoT device and its ecosystem , providing recommendations on the appropriate certification routes with one of the SBD approved certification bodies . Once third-party testing and independent certification for a product has been achieved , the company can apply to become SBD members , with the product receiving the SBD ’ s Secure Connected Device accreditation , a unique and recognisable accreditation that will highlight products as having achieved the relevant IoT standards and certification .
Michelle Kradolfer , Secured by Design ’ s IoT Technical Officer , said : “ Compliance with the ‘ Secure Connected Device ’ accreditation sends a clear message to the wider industry of the importance of IoT security and companies accredited to this new SBD standard will lead by example and be at the forefront of the IoT revolution and in doing so will help to keep their customers and the public safer from the risk of a cyber breach .
Furthermore , adverse publicity due to a cyber incident could be catastrophic to the reputation of the product and company .”
The Secure Connected Device accreditation is the only way for companies to obtain police recognition for the security of their IoT products in the UK .
SBD continually monitor national crime trends to keep pace with changing patterns of criminal behaviour and new technology , ensuring that standards are updated to reflect these changes .
www . securedbydesign . com / Internet-of-Things
62 AUGUST 2023 CLEARVIEW-UK . COM