Business info issue 156

01732 759725 magazine 21 Q&A April 29, 2024. Just another day? Not if you are a manufacturer, importer or distributor of IoT connectable products, as this is the date for compliance with the Product Security and Telecommunications Infrastructure Act 2022. Here, Secured by Design National Manager Michelle Kradolfer answers common questions about the act, its requirements, potential penalties and how businesses can ensure they comply with the law Are you PSTI Act compliant? study to look at how a smart home could be at risk from hackers. It set up its own smart home and detected more than 12,000 scanning or hacking attempts in a single week. Without appropriate levels of security, any internet connected device or app is at risk of being readable, recognisable, locatable and/or controllable via the internet, thus providing cyber criminals with the ‘key’ to access and steal personal data. This can then be used for a multitude of criminal purposes, including burglary, theft, blackmail, harassment and stalking. What does the legislation require? The Product Security and Telecommunications Infrastructure legislation mandates the following three main security features. • Consumer IoT devices will not be allowed to have universal default passwords. • Consumer IoT devices will have to have a vulnerability disclosure policy. • Consumer IoT devices will need to disclose how long they will receive software updates. What do affected businesses need to do? Businesses that produce or supply IoT connected products need to ensure that they are sighted on the new law and have taken the appropriate steps to ensure they are compliant with its requirements. What are the penalties for companies that produce or supply non-compliant IoT connected products? The robust regulatory framework within the law contains an enforcement regime with civil What exactly is the PSTI Act? The Product Security and Telecommunications Infrastructure Act 2022 requires manufacturers, importers and distributors to meet minimum security requirements in relation to consumer connectable products and contains a robust regulatory framework to ensure compliance. The Act became law in December 2022, and last year the government announced it was giving businesses in the supply chains of these products a year to be compliant with the legislation, setting 29th April 2024 as the compliance date. What products are covered by the Act? The law applies to all consumer IoT products, including but not limited to: • connected safety-relevant products, for example door locks • connected home automation and alarm systems • Internet of Things base stations and hubs to which multiple devices connect • smart home assistants • smartphones • smoke detectors • connected cameras • connected fridges, washers, freezers, coffee machines Why was this legislation introduced? The adoption of cyber security requirements within these products has been poor, with only 1 in 5 manufacturers embedding basic security requirements in consumer connectable products. Consumers overwhelmingly assume these products are secure. However, hackers know otherwise and regularly exploit vulnerabilities. In 2021, Which? undertook a and criminal sanctions aimed at preventing insecure products from being made available on the UK market. It enables the government to take a range of actions against companies that are not compliant by 29th April 2024, including: • Enforcement Notices: Compliance notices, Stop notices and Recall notices. • Monetary penalties: the greater of £10 million or 4% of the company’s qualifying worldwide revenue. • Forfeiture of stock in the possession or control of any manufacturer, importer or distributor of the products, or an authorised representative. How can we ensure our products meet the compliance requirements? Secured by Design (SBD), an official police security initiative that aims to improve the security of buildings by recognising securityrelated products that meet certain standards, runs a Secure Connected Device accreditation scheme, developed in consultation with the Department for Science, Innovation and Technology (DSIT). This helps companies to get their products assessed against all 13 provisions of the ETSI EN 303 645 standard. As these go beyond the requirements of the PSTI Act, Secure Connected Device accreditation demonstrates compliance with Government legislation and a supplier’s commitment to do even more to protect themselves, their products and their customers. This unique and widely recognised scheme gives consumers confidence that any accredited products have achieved the relevant IoT standards and certification. Michelle Kradolfer Michelle Kradolfer is the Secured by Design National Manager and Internet of Things Technical Officer. She joined Secured by Design in March 2022, after working for two years as a Cyber Development Officer at the Police Digital Security Centre. She has a Masters in Criminology, an MSc in Cybercrime and Digital Investigation and, in 2019, was accredited as a CipherTrace Certified Examiner (CTCE) after undertaking a course on blockchain forensics. Find out more on SBD’s Secure Connected Device accreditation and the companies that have achieved it to date at www. securedbydesign. com/IoT

RkJQdWJsaXNoZXIy NDUxNDM=