NATIONAL HOME SECURITY MONTH
NHSM From
The importance of ensuring IoT connected products are secure
As life and business in the 21st century has become increasingly reliant on being connected to the internet , we have seen an increase in products known as Internet of Things ( IoT ) connected – things such as smart locks , for example .
» WHILST THESE CONSUMER connectable products offer huge benefits for people and businesses to live better connected lives with a lower carbon footprint , the adoption of cyber security requirements within these products has historically been poor . Consumers overwhelmingly assume that these products are secure , however , whilst connectable consumer products have previously had to comply with existing regulation to ensure that they will not directly cause physical harm from issues such as overheating , environmental damage or electrical interference , they have not until very recently been regulated to protect consumers from cyber harm such as loss of privacy and personal data .
To close this regulatory gap and to address the issue of insecure technology , the government drew up the Product Security and Telecommunications Infrastructure Act 2022 , which was enacted into law in December 2022 . Businesses were then given a grace period with which to become compliant with the Act , with compliance required by the 29th of April 2024 .
The Act requires manufacturers , importers and distributors to ensure that minimum security requirements are met in relation to connectable products that are available to consumers in the UK . However , just two months ago , consumer magazine Which found that shockingly nearly 90 % of smart products in a snapshot check on Amazon , eBay and Temu did not seemingly meet new legal requirements for security support transparency .
What are the penalties for not complying with the law ?
The robust regulatory framework within the law contains an enforcement regime with civil and criminal sanctions aimed at preventing insecure products being made available on the UK market within it . This enforcement regime enables the government to take a range of actions against companies that are not compliant with the law . This includes :
• Enforcement Notices : Compliance notices , Stop notices and Recall notices
• Monetary penalties : the greater of £ 10 million or 4 % of the company ’ s qualifying worldwide revenue
• Forfeiture : of stock which is in the possession or control of any manufacturer , importer or distributor of the products , or an authorised representative
How can you ensure compliance with the law ?
The minimum security requirements contained within the law are based on the UK ’ s Code of Practice for Consumer IoT security , the leading global standard for consumer IoT security ETSI EN 303 645 , and on advice from the UK ’ s technical authority for cyber threats , the National Cyber Security Centre .
Secured by Design ’ s ( SBD ) Secure Connected Device accreditation scheme , helps companies to get their products appropriately assessed against all 13 provisions of the ETSI EN 303 645 standard , a requirement that goes beyond the Government ’ s legislation , so that companies can not only demonstrate their compliance with the legislation but help protect themselves , their products and customers . The SBD Secure Connected Device accreditation scheme has been developed in consultation with the Department for Science , Innovation and Technology ( DSIT ). DSIT supports industry schemes which help consumers make better informed choices when buying connectable devices .
The SBD Secure Connected Device IoT Assessment identifies the level of risk associated with an IoT device and its ecosystem , providing recommendations on the appropriate certification routes with one of the SBD approved certification bodies . Once third-party testing and independent certification for a product has been achieved , the company can apply to become SBD members , with the product receiving the SBD ’ s Secure Connected Device accreditation , a unique and recognisable accreditation that will highlight products as having achieved the relevant IoT standards and certification .
It is an SBD membership requirement for any IoT connected product or service to have achieved the SBD ‘ Secure Connected Device ’ accreditation .
Compliance with the Secure Connected Device accreditation also sends a clear message to the wider industry of the importance of IoT security and companies accredited to this SBD standard will lead by example and be at the forefront of the IoT revolution and in doing so will help to keep their customers and the public safer from the risk of a cyber breach .
The Secure Connected Device accreditation is the only way for companies to obtain police recognition for the security of their IoT products in the UK .
www . securedbydesign . com / IoT
46 OCTOBER 2024
locksmithjournal . co . uk Feature Sponsor