What just happened?
The minimum IoT security requirements for consumer products have just notched up a peg from “should” to “shall”.
The legislation comes into force for the UK market on April 29th 2024.
On 29th April 2023, the UK government announced that the countdown has begun for new minimum security standards regime for all consumer products with internet connectivity. This has been expected for quite some time and we now have more information as to ‘when’ those ‘security requirements’ will become ‘legal requirements’.
The good news is that there are no surprises for anyone who has been following the story since the original Code of Practice for Consumer IoT Security was published in 2018, or a little later when the ETSI EN 303 645 standard was published in 2020. We’ve not only been following the story, we’ve helped to write it too with the fantastic help of our members. And now there is more detail to unveil in this document. It’s written in legalese but with a little concentration, and your favourite hot drink, it is straightforward enough to understand but to get you up to speed quickly we’ll cover the salient points in this blog post.
The full title of the new regulation is the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023. Whilst Part 1 of the primary legislation includes manufacturers, importers and distributors as ‘relevant persons’, the new ‘draft’ requirements only specify the responsibilities of manufacturers and importers.
There are 4 schedules:
Schedule 1 sets out the security requirements with which manufacturers of relevant connectable products have to comply in relation to UK consumer connectable products.
Notably:
- Passwords: must be unique per product OR defined by the user. And of course, those factory determined ‘unique’ passwords must not be easy to guess or enumerate.
- Reporting security issues: there must be at least one point of contact and when that point of contact receives a security report they must acknowledge it and send updates until a resolution has been achieved.
- Minimum security update period: information must be published on the update period, there is no stated minimum, only that it must be published. It also says that the period cannot be shortened, but it can be extended.
Schedule 2 sets out conditions which, if met, will deem the manufacturer compliant with the relevant corresponding security requirement.
Notably, those conditions of compliance relate to either the ETSI EN 303 645 (5.1 to 5.3) standard or, for security reporting only: the ISO/IEC 29147 standard
Schedule 3 sets out the list of products to be excepted from being considered relevant connectable products for the purposes of section 4 of the Act.
Some exceptions of products are included – namely
- Charge points for electric vehicles
- Medical devices
- Smart meter products
- Computers (except those designed for children under the age of 14)
And there is specific wording for excepted products made available in Northern Ireland.
Schedule 4 sets out the minimum amount of information which is required to be stated in a statement of compliance.
Manufacturers will have to supply a minimum amount of information on their statement of compliance and a signature to make the declaration of compliance official. A copy of the statement must be retained for at least 10 years.
What else?
These requirements are a starting point and are the absolute minimum consumers can expect of a ‘secure by default’ product. They will likely change and therefore reviews are necessary. This is also detailed in the requirements and stipulates that the Secretary of State must perform reviews at intervals not exceeding 5 years. This means the first review will be no later than 29th April 2029.
And don’t forget:
The IoT Security Foundation has lots of free resources to help manufacturers meet their obligations under the regulation including Quick Guides & Webinars which you can find here: https://iotsecurityfoundation.org/consumer-iot
PLUS our Best Practice Guides – including the Vulnerability Disclosure Best Practice Guide (for security reporting), here: https://iotsecurityfoundation.org/best-practice-guidelines
Needless to say, if you are a manufacturer, importer or distributor of ‘Relevant Connectable Products’ you should review the full and original texts – ‘regime’ links are in the sidebar.
UK Government Press Release:
[click link] Starting gun fired on preparations for new product security regime
Co-Founder and Managing Director of the IoT Security Foundation, John Moor, said:
The IoT Security Foundation welcomes this announcement as it brings important cybersecurity assurance to consumers and the networks they connect to, worldwide. It is the culmination of a lot of hard work and determination by many stakeholders, over several years, including consultations with our members.
Regulation is notoriously difficult to get right, especially as the nature of cyber-attacks change and new vulnerabilities are discovered over time. The PSTI regime not only includes requirements that help address immediate challenges, but its method also anticipates the need for new requirements to be added without stifling innovation or adding unwelcome business costs.
This is truly a milestone moment to support the global digital transformation, making connecting to the digital world safer. We therefore applaud its introduction and encourage policymakers worldwide to work with this ground-breaking regime as it is in our common interest to avoid fragmentation and minimise complexity.