Secured by Design has informed Door & Hardware Federation (DHF) of the latest update regarding the new Product Security and Telecommunications Infrastructure (PSTI) Act, as well as how this will impact the manufacturers of IoT products going forward.
The Product Security and Telecommunications Infrastructure Act 2022 received Royal Assent on 6th December 2022 and has been enacted into law. The government have now announced that companies have a period of a year to implement the changes put forth in the legislation, with compliance required by 29th April 2024.
This law applies to all consumer IoT products, including but not limited to connected safety-relevant products such as door locks, connected home automation and alarm systems, Internet of Things base stations and hubs to which multiple devices connect, smart home assistants, smartphones, smoke detectors, connected cameras, connected fridges, washers, freezers, and coffee machines.
“Whilst consumer connectable products such as those listed above offer huge benefits for people and businesses to live better connected lives, to date, the adoption of cyber security requirements within these products is poor,” explains DHF’s General Manager & Secretary, Michael Skelding. “Just one in five manufacturers entrench basic security requirements in consumer connectable products, although consumers overwhelmingly assume these products are secure.”
Whilst connectable consumer products have previously had to comply with existing regulation to ensure that they will not directly cause physical harm from issues such as overheating, environmental damage or electrical interference, they have not been regulated to protect consumers from cyber harm such as loss of privacy and personal data. To close this regulatory gap, the government introduced the Product Security and Telecommunications Infrastructure Act.
“The Product Security and Telecommunications Infrastructure Act 2022 requires manufacturers, importers, and distributors to ensure that minimum security requirements are met in relation to consumer connectable products that are available to consumers. It also provides a robust regulatory framework that can adapt and remain effective in the face of rapid technological advancement, the evolving techniques employed by malicious actors, and the broader international regulatory landscape,” says Michael.
Many IoT products are still produced with a default password either commonly used (such as password) or easily obtainable online. Hackers know and regularly exploit this vulnerability. The PSTI legislation covers the following three main security features: Consumer IoT devices will not be allowed to have universal default passwords – this makes it easier for consumers to configure their devices securely to prevent them being hacked by cyber criminals; Consumer IoT devices will have to have a vulnerability disclosure policy - this means manufacturers must have a plan for how to deal with weaknesses in software meaning it is more likely that such weaknesses will be addressed properly; Consumer IoT devices will need to disclose how long they will receive software updates - this means that software updates are created and released to maintain the security of the device throughout its declared lifespan.
The regulatory framework within the law enables the government to take a range of actions against companies that are not compliant with it by 29th April 2024. This includes Enforcement Notices: Compliance notices, Stop notices and Recall notices; Monetary penalties: the greater of £10 million or 4% of the company’s qualifying worldwide revenue, and Forfeiture: of stock is in the possession or control of any manufacturer, importer or distributor of the products, or an authorised representative.
“Secured by Design’s (SBD) Secure Connected Device accreditation scheme, developed in consultation with the Department for Science, Innovation and Technology (DSIT), helps companies to get their products appropriately assessed against all 13 provisions of the ‘h standard’, a requirement that goes beyond the Government’s legislation, so companies can not only demonstrate their compliance with the legislation but help protect themselves, their products and customers,” continues Michael.
The SBD Secure Connected Device IoT Assessment identifies the level of risk associated with an IoT device and its ecosystem, providing recommendations on the appropriate certification routes with one of the SBD approved certification bodies. Once third-party testing and independent certification for a product has been achieved, the company can apply to become SBD members, with the product receiving the SBD’s Secure Connected Device accreditation, a unique and recognisable accreditation that will highlight products as having achieved the relevant IoT standards and certification.
“It is vitally important to ensure that all IoT products have the right level of security in place to protect consumers and reduce the risk of them falling victim to cyber-crime,” says Michael. “Adverse publicity due to a cyber incident could be catastrophic to the reputation of the product and company.”
In 2021 Which? undertook a study to look at how a smart home could be at risk from hackers, setting up their own smart home. This detected more than 12,000 scanning or hacking attempts in a single week. Without the appropriate levels of security, any internet connected device or app is at risk of being readable, recognisable, locatable, and/or controllable via the internet, thus providing cyber criminals with the ‘key’ in accessing and stealing personal data. This can then be used for a multitude of criminal purposes, including burglary, theft, blackmail, harassment, and stalking.
“Compliance with the Secure Connected Device accreditation sends a clear message to the wider industry of the importance of IoT security and companies accredited to this SBD standard will lead by example and be at the forefront of the IoT revolution,” concludes Michael. “In so doing, it will help to keep their customers and the public safer from the risk of a cyber breach. The Secure Connected Device accreditation is the only way for companies to obtain police recognition for the security of their IoT products in the UK.”
Find out more on SBD’s Secure Connected Device accreditation at https://bit.ly/3Nw6NiU
30th June 2023
Join dhf
Enjoy the full benefits of dhf membership
Apply today
