Brian Sims
Editor
Brian Sims
Editor
BUSINESS IMPROVEMENT and standards company the British Standards Institution (BSI) is now collaborating with Secured by Design, the official police security initiative, on the Secure Connected Device accreditation, which helps companies to demonstrate their compliance with the Product Security and Telecommunications Infrastructure Act 2022.
The Product Security and Telecommunications Infrastructure Act 2022 received Royal Assent on 6 December 2022. Subsequently, the Government announced that companies have until 29 April 2024 to implement the changes outlined by the new legislation.
This Act of Parliament applies to all consumer-connectable Internet of Things (IoT) products, including – but not limited to – safety-relevant products such as door locks, home automation and alarm systems, smart doorbells and cameras.
Developed in consultation with the Department for Science, Innovation and Technology, Secured by Design’s Secure Connected Device accreditation scheme’s assessment process identifies the level of risk associated with an IoT device and its ecosystem, evaluating it and suggesting certification routes that will assist with meeting the requirements of the Product Security and Telecommunications Infrastructure Act 2022.
One such certification route involves the BSI, with the latter’s Certificate of Conformity for Cyber Security for Consumer Internet of Things being accepted into Secured by Design’s Secure Connected Device framework. BSI is the national standards body for the United Kingdom, duly producing technical standards on a wide range of products and services, while also providing certification and standards-related services to businesses.
The robust standards of Secured by Design’s Secure Connected Device accreditation exceed Government legislation by ensuring that IoT products are appropriately assessed and certified against all provisions of the ETSI EN 303 645 European Standard, with an annual appraisal ensuring compliance with evolving Government requirements as well as cyber threats.
Additional route
Secured by Design’s national manager Michelle Kradolfer (a guest on Episode 29 of the Security Matters Podcast) explained: “I’m delighted to announce that we have included the BSI’s Certificate of Conformity for Cyber Security for Consumer Internet of Things into our own Secure Connected Device framework. This move provides companies with another route for their products to be tested against all provisions of the ETSI EN 303 645 European Standard and prove their compliance.”
Kradolfer continued: “It’s important for companies to ensure that their IoT products are built as securely as possible. An integral part of doing so is making sure that all IoT products are appropriately assessed and accredited. Companies only have until 29 April to achieve compliance. That’s only four months away.”
Further, Kradolfer noted: “By obtaining Secure Connected Device accreditation and undergoing testing and certification procedures, companies are sending a clear message on the importance of IoT security for their products. That will make them stand out from the crowd and inspire confidence from consumers.”
Huge opportunities
Carlos Perez Ruiz, global digital and connected product certification director at the BSI, responded: “IoT technology offers huge opportunities right across society, but building confidence in it is crucial. With the BSI’s IoT Kitemark continuing to provide the highest levels of assurance for the cyber security of high-risk connected devices, we’re pleased to extend our collaboration with Secured by Design through the addition of the BSI’s Certificate of Conformity scheme into Secured by Design’s own Secure Connected Device framework.”
He continued: “Thanks to a comprehensive third party testing and certification scheme, more manufacturers of consumer-connectable products have the opportunity to launch smarter and safer products that will ensure a secure online environment and assure compliance in line with the UK’s IoT product cyber security-focused legislation.”
What do businesses need to do?
Businesses producing or supplying IoT connected products need to ensure that they have their sights firmly fixed on the new law and take the appropriate steps towards attaining compliance with its requirements.
These minimum security requirements contained within the law are based on the UK’s Code of Practice for Consumer IoT Security, the leading global standard for consumer IoT security ETSI EN 303 645 and on advice from the UK’s technical authority for cyber threats, namely the National Cyber Security Centre.
The regime will also ensure other businesses in the supply chains of these products play their role in preventing insecure consumer products from being sold to UK consumers and businesses.
Importantly, the robust regulatory framework within the law contains an enforcement regime with civil and criminal sanctions aimed at preventing insecure products from being made available on the UK market. This enforcement regime enables the Government to take a range of actions against companies not compliant with the law by 29 April this year.
Those action include Enforcement Notices (Compliance Notices, Stop Notices and Recall Notices), monetary penalties (the greater of £10 million or 4% of the company’s qualifying worldwide revenue) and forfeiture (of stock, which is in the possession or control of any manufacturer, importer or distributor of the products or otherwise an authorised representative.
*Further information concerning the Product Security and Telecommunications Infrastructure Act 2022 is available online alongside detail concerning the 29 April date for compliance
**Find out more about how Secured by Design’s Secure Connected Device accreditation can actively assist with compliance
