The UK has just passed the Product Security and Telecommunications Infrastructure Act 2022, the first part of which will help ensure that all consumer smart products have good security to protect against cyber attacks.
What are “smart” products?
A smart product is a device that is connected to the internet or another network and often has an app and/or a wireless connection. Smart devices are also referred to as part of the Internet of Things or IoT.
The new law applies to all consumer IoT products which include:
- connected appliances, such as washing machines and fridges
- connected safety-relevant products such as smoke detectors and door locks
- connected home automation and alarm systems
- connected children’s toys and baby monitors
- Internet of Things base stations and hubs to which multiple devices connect
- wearable connected fitness trackers
- outdoor leisure products, such as handheld connected GPS devices that are not wearables
- smart home assistants
- connected cameras
- TVs and speakers
Why is it so important that smart products are secure?
Without basic security, everyday connected devices can provide a way for criminals on the internet to steal personal data, access microphones and cameras or hijack a device for ulterior motives. Previous to the new law, consumer connectable products were required to meet certain safety standards, but there were no mandatory security requirements.
The UK Government published a voluntary Code of Practice for Consumer IoT Security in 2018. It provided manufacturers and others with guidance as set out in ETSI EN 303 645, the leading global technical standard in IoT security.
Following the publication of the Code of Practice and continued risks to consumers, the Government consulted in 2019 on introducing mandatory security requirements for connectable products. Legislative proposals were consulted on in 2020.
An innovative new scheme to help manufacturers improve the security of smart products
In response to a growing need for manufacturers and retailers to demonstrate good security practice associated with IoT devices, IASME operates a well-regarded certification scheme which provides manufacturers with support to improve the security of their devices and then certify their achievement. Certification to this scheme demonstrates a commitment to best practice security. The scheme has been designed to be affordable and achievable by even the smallest of manufacturers which enables small, innovative companies to be part of the market.
The scheme was initially supported by funding from the Department of Digital, Culture, Media and Sport and showcased a number of innovative UK based manufacturers that were able to certify their internet connected devices against the most important security controls in line with the ETSI EN 303 645 standard.
The new UK legislation covers the following three main security features:
- Consumer IoT devices will not be allowed to have universal default passwords.
This makes it easier for consumers to configure their devices securely to prevent them being hacked by cyber criminals.
- Consumer IoT devices will have to have a vulnerability disclosure policy
This means manufacturers must have a plan for how to deal with weaknesses in software which means it’s more likely that such weaknesses will be addressed properly.
- Consumer IoT devices will need to disclose how long they will receive software updates.
This means that software updates are created and released to maintain the security of the device throughout its declared lifespan.
The IASME IoT Cyber scheme certifies internet connected devices against the new UK legislation at the Baseline level, and also allows manufacturers to take the next step to certify against the ETSI controls, at the Assurance level. Compliance products receive a certification badge which can be displayed on product packaging and marketing to allow purchasers to verify the security of the device.
CEO of IASME, Dr Emma Philpott MBE says, “IASME has developed the IoT Cyber schemes to provide an accessible, achievable and high-quality way for manufacturers to demonstrate the security of their internet-connected devices and to show they are compliant with best-practice security and UK law. When the IASME IoT Cyber scheme badge is displayed on a device it will reassure the end user that their device has the most important security features included.”
This year, IASME is working in partnership with the official police security initiative, Secured By Design. Secured by Design (SBD) operates an accreditation scheme on behalf of the UK Police Service to show that products or services have met recognised security standards.
Secure by Design recently launched the Secure Connected Device accreditation for manufacturers of innovative connected security products such as alarm systems and video products. They have picked the IASME scheme as one of the ways for manufacturers to confirm their products have the highest level of cyber security.
Jason Blake joins IASME this month as our new IoT Security Certification Manager. Jason has a background in the private security industry and brings a wealth of knowledge and experience to the role. Contact Jason for more information about the IASME IoT Cyber schemes, [email protected]
Follow the scheme on LinkedIn for the latest updates.