Consumer connectable products, such as smart home assistants, connected cameras and intercoms, home automation and alarm system, not to mention fridges, washing machines, coffee machines and all the Internet of Things (IoT) ecosystem, can offer huge benefits for people and businesses. Forecasts suggest that by 2030 there could be 50 billion connected products worldwide, with nine in every UK household.
However, according to Secure by Design (SBD), only one in five manufacturers embed basic security requirements in consumer-connectable products.
Previously, connectable consumer products were required to comply with existing regulations to prevent direct physical harm from issues such as overheating, environmental damage, or electrical interference. Still, they have not been regulated to protect consumers from cyber threats like data loss and privacy loss. A new law has now been passed to address this regulatory gap. It is called the Product Security and Telecommunications Infrastructure Act 2022. The UK government has announced that companies have a year to implement the changes outlined in the legislation, with compliance due on 29th April 2024.
As part of the Product Security and Telecommunications Infrastructure Act 2022, manufacturers, importers and distributors are required to meet minimum security requirements for consumer-connected products. It provides a robust regulatory framework that can adapt to and remain effective despite the rapid technological advancement, the development of malicious actors’ techniques, and the evolution of international regulations.
The national police security initiative, SBD, launched the Secure Connected Device accreditation scheme in 2022 in response to the pending legislation, coupled with a growing demand from industry and current members seeking to gain SBD accreditation for IoT products.
The SBD Secure Connected Device accreditation scheme, developed in consultation with the Department for Digital, Culture, Media & Sport (DCMS), helps companies to get their products appropriately assessed against all 13 provisions of the ETSI EN 303 645 standards, a requirement that goes beyond the Government’s legislation so that companies can not only demonstrate their compliance with the legislation but protects them, their products and customers.
The SBD Secure Connected Device (SCD) IoT Assessment identifies the level of risk associated with an IoT device and its ecosystem, providing recommendations on the appropriate certification routes with one of the SBD-approved certification bodies. Once third-party testing and independent certification for a product has been achieved, the company can apply to become SBD member, with the product receiving the SBD’s Secure Connected Device accreditation. This recognisable accreditation will highlight products as having achieved the relevant IoT standards and certification.
The SCD accreditation is the only way for companies to obtain police recognition for the security of their IoT products in the UK.
Michelle Kradolfer, Secured by Design’s IoT Technical Officer, said: “Without the appropriate levels of security, any internet-connected device or app is at risk of providing cyber criminals with a key to enable them to access and steal personal data. It is, therefore, vitally important to ensure that all IoT products have the right level of security in place to protect consumers and reduce the risk of them falling victim to cybercrime. Adverse publicity due to a cyber incident could be catastrophic to the reputation of the product and company.
“Compliance with the ‘Secure Connected Device’ accreditation sends a clear message to the wider industry of the importance of IoT security, and companies accredited to this new SBD standard will lead by example and be at the forefront of the IoT revolution and in doing so will help to keep their customers and the public safer from the risk of a cyber breach”.
SBD has operated an accreditation scheme on behalf of the UK Police Service for products or services that have met recognised security standards for nearly 25 years. These products or services – which must be capable of deterring or preventing crime – are known as being of a ‘Police Preferred Specification’.
Find out more on SBD’s Secure Connected Device accreditation at www.securedbydesign.com/Internet-of-Things