Police-backed Secured by Design has released the following detailed statement after developments relating to legislation recently given Royal Assent
The Product Security and Telecommunications Infrastructure Act 2022 received Royal Assent on 6th December 2022 and was enacted into law.
The government have now announced that companies have a period of a year to implement the changes put forth in the legislation, with compliance required by 29th April 2024.
This law applies to all consumer IoT products, including but not limited to:
• connected safety-relevant products such as smoke detectors and door locks
• connected home automation and alarm systems
• Internet of Things base stations and hubs to which multiple devices connect
• smart home assistants
• connected cameras
• connected fridges, washers, freezers, coffee machines
Consumer connectable products, such as those listed above offer huge benefits for people and businesses to live better connected lives with a lower carbon footprint.
It is a rapidly growing area of emerging technology: forecasts suggest that there could be up to 50 billion connectable products worldwide by 2030, and on average there are nine in each UK household.
However, the adoption of cyber security requirements within these products is poor, and while only 1 in 5 manufacturers embed basic security requirements in consumer connectable products, consumers overwhelmingly assume these products are secure.
However, whilst connectable consumer products have previously had to comply with existing regulation to ensure that they will not directly cause physical harm from issues such as overheating, environmental damage or electrical interference, they have not been regulated to protect consumers from cyber harm such as loss of privacy and personal data. To close this regulatory gap, the Product Security and Telecommunications Infrastructure Act 2022 has now been enacted into law.
The Product Security and Telecommunications Infrastructure Act 2022 requires manufacturers, importers and distributors to ensure that minimum security requirements are met in relation to consumer connectable products that are available to consumers and provides a robust regulatory framework that can adapt and remain effective in the face of rapid technological advancement, the evolving techniques employed by malicious actors, and the broader international regulatory landscape.
Secure Connected Device accreditation for IoT products
The national police security initiative, Secured by Design (SBD), launched the Secure Connected Device accreditation scheme in 2022 in response to the pending legislation, coupled with a growing demand from industry and current members seeking to gain SBD accreditation for IoT products.
The SBD Secure Connected Device accreditation scheme, developed in consultation with the Department for Digital, Culture, Media & Sport (DCMS), helps companies to get their products appropriately assessed against all 13 provisions of the ETSI EN 303 645 standard, a requirement that goes beyond the Government’s legislation so that companies can not only demonstrate their compliance with the legislation but protects them, their products and customers.
The SBD Secure Connected Device IoT Assessment identifies the level of risk associated with an IoT device and its ecosystem, providing recommendations on the appropriate certification routes with one of the SBD approved certification bodies. Once third-party testing and independent certification for a product has been achieved, the company can apply to become SBD members, with the product receiving the SBD’s Secure Connected Device accreditation, a unique and recognisable accreditation that will highlight products as having achieved the relevant IoT standards and certification.
Why is the Secure Connected Device accreditation for IoT products important?
The risk of a cyber attack or breach against an IoT device can be reduced as SCD accredited devices have been tested to ensure they have been built to the required security standards.
The Secure Connected Device accreditation is the only way for companies to obtain police recognition for the security of their IoT products in the UK.
SBD continually monitor national crime trends to keep pace with changing patterns of criminal behaviour and new technology, ensuring that standards are updated to reflect these changes.
Michelle Kradolfer, pictured, Secured by Design’s IoT Technical Officer, said: “Without the appropriate levels of security, any internet connected device or app is at risk of providing cyber criminals with a key to enable them to access and steal personal data. It is therefore vitally important to ensure that all IoT products have the right level of security in place to protect consumers and reduce the risk of them falling victim to cyber crime. Adverse publicity due to a cyber incident could be catastrophic to the reputation of the product and company.
“Compliance with the ‘Secure Connected Device’ accreditation sends a clear message to the wider industry of the importance of IoT security and companies accredited to this new SBD standard will lead by example and be at the forefront of the IoT revolution and in doing so will help to keep their customers and the public safer from the risk of a cyber breach”.
SBD has operated an accreditation scheme on behalf of the UK Police Service for products or services that have met recognised security standards for nearly 25 years. These products or services – which must be capable of deterring or preventing crime – are known as being of a ‘Police Preferred Specification’.
There are many hundreds of companies who produce thousands of individual attack resistant crime prevention products, in more than 30 different categories, which have met the exacting standards of the Police Preferred Specification. This includes doors, windows, external storage, bicycle and motorcycle security, locks and hardware, asset marking, alarms, CCTV, safes, perimeter security products and many others.
SBD’s is the only way for companies to obtain police recognition for security-related products in the UK.