search.noResults

search.searching

saml.title
dataCollection.invalidEmail
note.createNoteMessage

search.noResults

search.searching

orderForm.title

orderForm.productCode
orderForm.description
orderForm.quantity
orderForm.itemPrice
orderForm.price
orderForm.totalPrice
orderForm.deliveryDetails.billingAddress
orderForm.deliveryDetails.deliveryAddress
orderForm.noItems
UKM-SPR24-PG08_Layout 1 27/03/2024 09:39 Page 8


CRIME PREVENTION


need to do? What the penalties are for not complying with the legislation and how companies can achieve compliance? The Product Security and Telecommunications Infrastructure Act requires manufacturers, importers and distributors to ensure that minimum security requirements are met in relation to consumer connectable products that are available in the UK and provides a robust regulatory framework for non-compliance. Currently the adoption of cyber security requirements within these products is poor - only one in five manufacturers embed basic security requirements in consumer connectable products, although consumers overwhelmingly assume these products are secure. Hackers know and regularly exploit these vulnerabilities.


T


WHAT DOES THE LAW COVER? This law applies to all consumer IoT products, including but not limited to:


connected safety-relevant products such as door locks


connected home automation and alarm systems


Internet of Things base stations and hubs to which multiple devices connect


smart home assistants smartphones smoke detectors connected cameras


connected fridges, washers, freezers, coffee machines


he government have mandated compliance with the Product Security and Telecommunications Infrastructure Act 2022 by 29 April 2024. But do you know what the law covers? What the legislation requires? What you


ARE YOU COMPLIANT WITH THE PSTI ACT?


WHAT DOES THE LEGISLATION REQUIRE? The Product Security and Telecommunications Infrastructure legislation covers the following three main security features:


Consumer IoT devices will not be allowed to have universal default passwords


This makes it easier for consumers to configure their devices securely to prevent them being hacked by cyber criminals


Consumer IoT devices will have to have a vulnerability disclosure policy


This means manufacturers must have a plan for how to deal with weaknesses in software which means it is more likely that such weaknesses will be addressed properly


Consumer IoT devices will need to disclose how long they will receive software updates


This means that software updates are created and released to maintain the security of the device throughout its declared lifespan


WHAT NEEDS TO BE DONE? Businesses who produce or supply IoT connected products need to ensure that they are sighted on the new law and have taken the appropriate steps to ensure that they are compliant with its requirements.


WHAT ARE THE PENALTIES FOR NOT COMPLYING WITH THE LEGISLATION? The robust regulatory framework within the law contains an enforcement regime with civil and criminal sanctions aimed at preventing insecure products being made available on the UK market within it. This enforcement regime enables the government to take a range of actions against companies that are not compliant with the law by 29 April 2024. This includes:


Enforcement Notices: Compliance notices, Stop notices and Recall notices


Monetary penalties: the greater of £10 million or four per cent of the company’s qualifying worldwide revenue


Forfeiture: of stock which is in the possession or control of any manufacturer, importer or distributor of the products, or an authorised representative


8


The SBD Secure Connected Device IoT Assessment identifies the level of risk associated with an IoT device and its ecosystem, providing recommendations on the appropriate certification routes with one of the SBD approved certification bodies. Once third-party testing and independent certification for a product has been achieved, the company can apply to become SBD members, with the product receiving the SBD’s Secure Connected Device accreditation. The Secure Connected Device accreditation is the only way for companies to obtain police recognition for the security of their IoT products in the UK. Find out more on SBD’s Secure Connected Device accreditation and the companies who have achieved it to date at www.securedbydesign.com/IoT


Secured by Design enquiries@police-cpi.co.uk 0203 8623 999 www.securedbydesign.com/iot


Spring 2024 UKManufacturing


HOW CAN SBD’S SECURE CONNECTED DEVICE ACCREDITATION HELP WITH COMPLIANCE? Secured by Design’s (SBD) Secure Connected Device accreditation scheme, developed in consultation with the Department for Science, Innovation and Technology (DSIT), helps companies to get their products appropriately assessed against all 13 provisions of the ETSI EN 303 645 standard, a requirement that goes beyond the Government’s legislation so that companies can not only demonstrate their compliance with the legislation but help protect themselves, their products and customers. It is a unique and recognisable accreditation that highlights products as having achieved the relevant IoT standards and certification.


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48