IoT & the current threat landscape

The rise of the Internet of Things (‘IoT’) and smart devices has revolutionised the way we live our lives, at home and at work, with many smart devices allowing you to control them remotely. Whether it is a doorbell, lightbulb, voice assistant (Alexa, Siri), kitchen appliance, children’s toy, everything connected to the internet falls under this category.

However, with the increase in IoT products available and a growing ecosystem of interconnected devices, cyber criminals are targeting and exploiting vulnerabilities of the products and within apps as most are mass-produced without security being in the forefront.

Without the appropriate levels of security, any internet connected device or app is at risk of providing cyber criminals with the ‘key’ in accessing and stealing personal data. Now more than ever, it’s important to ensure that all IoT products have the right security in place to protect consumers and reduce the risk of them falling victim to cyber crime.


SBD Secure Connected Device Accreditation

In 2018, the Government published the first Code of Practice (CoP) for the Internet of Things. The CoP, developed by the Department of Digital, Culture, Media & Sport (DCMS), sets a benchmark for security for manufacturers to follow when developing IoT products for the UK market. This is now being influenced by ETSI EN 303 645 and other IoT related standards.


With the Government soon introducing new legislation, the Product Security and Telecommunications Infrastructure (PSTI) Bill, which includes three principles of the CoP and coupled with growing demand from industry and current members seeking to gain SBD accreditation for IoT products, SBD has launched a new ‘Secure Connected Device’ accreditation scheme. This is for companies providing IoT connected products and services to demonstrate that their products have achieved the appropriate and relevant IoT standards and certifications from an SBD recognised certification body.

Working closely with certification bodies, such as IASME and BSI, who assess IoT products and services against all 13 provisions of the ETSI EN 303 645 standard, our IoT Device Assessment identifies the level of risk associated with an IoT device and its ecosystem, providing recommendations on the appropriate certification routes.

Once third-party testing and independent certification for a product has been achieved, the company can apply to become SBD members, with the product receiving the SBD’s ‘Secure Connected Device’ accreditation, a unique and recognisable accreditation that will highlight products as having achieved the relevant IoT standards and certification.

The necessary requirements to obtain the Secure Connected Device accreditations are:

  • IoT products and services need to have achieved the appropriate and relevant IoT standards and certifications conducted by an SBD recognised certification body.
  • The certificate needs to be assessed against all 13 provisions of the ETSI EN 303 645, which goes beyond the 3 provisions being legislated by the UK government.
  • It is required for the assessment to be done hands-on by the certifying bodies – we do not accept self-assessed certificates.
  • The IoT product or service needs to be assessed on an annual basis (every 12 months).

If you are a company looking for SBD membership, it will be a requirement for any IoT connected product or service to not only meet traditional physical security standards, but to also meet the requirements of the ‘Secure Connected Device’ accreditation scheme.

Showing that a product has achieved both the physical and digital requirements of the ‘Police Preferred Specification’ shows that ‘Secured by Design’ is at the heart of what a company does.

You can find out more about the opportunities and the benefits of becoming a SBD member here.

Contact your local SBD Development Officer to find out more about the new Secure Connected Device accreditation and the benefits of becoming an SBD member.

Whilst the level of assurance provided by this accreditation significantly exceeds that currently recommended by government, any claim to protect against 100% of risks is not being made. You are reminded that it is your responsibility to ensure that you have the level of security commensurate for its intended use and associated security threat(s).