Bill to ensure safety of IoT products becomes law
The Product Security and Telecommunications Infrastructure Act 2022 has now been enacted into law having received Royal Assent on 6th December 2022.
The new law applies to all consumer IoT products, including:
- connected safety-relevant products such as smoke detectors and door locks
- connected home automation and alarm systems
- Internet of Things base stations and hubs to which multiple devices connect
- smart home assistants
- connected cameras
Consumer connectable products, such as those listed above offer huge benefits for people and businesses to live better connected lives with a lower carbon footprint. It is a rapidly growing area of emerging technology: forecasts suggest that there could be up to 50 billion connectable products worldwide by 2030, and on average there are nine in each UK household.
However, the adoption of cyber security requirements within these products is poor, and while only 1 in 5 manufacturers embed basic security requirements in consumer connectable products, consumers overwhelmingly assume these products are secure. However, whilst connectable consumer products have previously had to comply with existing regulation to ensure that they will not directly cause physical harm from issues such as overheating, environmental damage or electrical interference, they have not been regulated to protect consumers from cyber harm such as loss of privacy and personal data. To close this regulatory gap, the Product Security and Telecommunications Infrastructure Act 2022 has now been enacted into law.
The Product Security and Telecommunications Infrastructure Act 2022 requires manufacturers, importers and distributors to ensure that minimum security requirements are met in relation to consumer connectable products that are available to consumers and provides a robust regulatory framework that can adapt and remain effective in the face of rapid technological advancement, the evolving techniques employed by malicious actors, and the broader international regulatory landscape.
Secure Connected Device accreditation for IoT products
The national police security initiative, Secured by Design (SBD), launched the Secure Connected Device accreditation scheme in 2022 in response to the pending legislation, coupled with a growing demand from industry and current members seeking to gain SBD accreditation for IoT products.
The SBD Secure Connected Device accreditation scheme, developed in consultation with the Department for Digital, Culture, Media & Sport (DCMS), helps companies to get their products appropriately assessed against all 13 provisions of the ETSI EN 303 645 standard, a requirement that goes beyond the Government’s legislation so that companies can not only demonstrate their compliance with the legislation but protects them, their products and customers.
The SBD Secure Connected Device IoT Assessment identifies the level of risk associated with an IoT device and its ecosystem, providing recommendations on the appropriate certification routes with one of the SBD approved certification bodies. Once third-party testing and independent certification for a product has been achieved, the company can apply to become SBD members, with the product receiving the SBD’s Secure Connected Device accreditation, a unique and recognisable accreditation that will highlight products as having achieved the relevant IoT standards and certification.
Why is the Secure Connected Device accreditation for IoT products important?
The risk of a cyber attack or breach against an IoT device can be reduced as SCD accredited devices have been tested to ensure they have been built to the required security standards.
The Secure Connected Device accreditation is the only way for companies to obtain police recognition for the security of their IoT products in the UK.
SBD continually monitor national crime trends to keep pace with changing patterns of criminal behaviour and new technology, ensuring that standards are updated to reflect these changes.
View from the expert
Michelle Kradolfer is the Internet of Things (IoT) Technical Officer at Police CPI and the lead for Secured by Design’s Secure Connected Devices accreditation. Michelle graduated from University with a Master of Cyber Crime and Digital Investigation (with Distinction) and has worked at INTERPOL, with the Research and Innovation team within the Cyber Innovation & Outreach Directorate, as well as a Cyber Development Officer with the Police Digital Security Centre.
Michelle said: “Without the appropriate levels of security, any internet connected device or app is at risk of providing cyber criminals with a key to enable them to access and steal personal data. It is therefore vitally important to ensure that all IoT products have the right level of security in place to protect consumers and reduce the risk of them falling victim to cyber crime. Adverse publicity due to a cyber incident could be catastrophic to the reputation of the product and company.
“Compliance with the ‘Secure Connected Device’ accreditation sends a clear message to the wider industry of the importance of IoT security and companies accredited to this new SBD standard will lead by example and be at the forefront of the IoT revolution and in doing so will help to keep their customers and the public safer from the risk of a cyber breach”.
The Police Preferred Specification
SBD has operated an accreditation scheme on behalf of the UK Police Service for products or services that have met recognised security standards for nearly 25 years. These products or services – which must be capable of deterring or preventing crime - are known as being of a ‘Police Preferred Specification’.
There are many hundreds of companies who produce thousands of individual attack resistant crime prevention products, in more than 30 different categories, which have met the exacting standards of the Police Preferred Specification. This includes doors, windows, external storage, bicycle and motorcycle security, locks and hardware, asset marking, alarms, CCTV, safes, perimeter security products and many others.
SBD’s is the only way for companies to obtain police recognition for security-related products in the UK.
Find out more on SBD’s Secure Connected Device accreditation at www.securedbydesign.com/Internet-of-Things