Choose another country to see content specific to your location

//Select Country

Regulating consumer smart product cyber security in the UK

Understand what it is and have your say

24 August 2020

Unsecure consumer devices

Most people are aware that anything which connects to the internet becomes an automatic target for attack by malicious actors or hackers! The list of devices is endless but consumer items like IP cameras, Smart TV’s, fitness devices, laptops, etc are typical examples. The collective term for all these devices is often referred to as the 'Internet of Things' or 'The IoT'.

To protect these consumer items and to combat the hacker, a good level of cybersecurity must be implemented to protect them. However, how does a consumer know if their device is protected? They may not even consider this, as it could be (and usually is) accepted as given that it is secure and protected. Unfortunately, that is not always the case, and products could be placed on the market with weak protection making them vulnerable to attack and compromise. The consequences of such a compromise could vary from trivial annoyance to a loss of personal data, business disruption or even injury and loss of life. The list of consequences is endless.

To address this, governments and regulatory bodies around the world are taking steps to ensure that manufacturers take responsibility for ensuring that consumer devices have at least some basic provisions to provide a baseline cybersecurity protection.

Mandatory UK Cybersecurity Law – Call for Views

The UK government, in the very near future, will be implementing legislation to ensure stronger security is built into consumer products. Before legislation is imposed, a policy paper has been released which is a 'Call for Views' on the proposed legislation to test the approach and it welcomes “Input from all interested parties, from individual organisations impacted by the proposed regulation, to trade associations, consumer groups, and cyber security subject-matter experts”.

Policy paper - Call for Views

Overview of the proposed legislative approach

The paper does make it very clear that at this stage the legislative approach is proposed and could be subject to change. It is also clear that this legislation is intended only for consumer products.

The scope of what is considered a consumer product includes (but not limited to):

  • connected children’s toys and baby monitors
  • connected safety-relevant products such as smoke detectors and door locks
  • Internet of Things base stations and hubs to which multiple devices connect
  • smart cameras, TVs and speakers
  • wearable health trackers
  • connected home automation and alarm systems, especially their gateways and hubs
  • connected appliances, such as washing machines and fridges
  • smart home assistants
  • smartphones, laptops and PCs

The proposed UK security requirements are derived from the key provisions within European Telecommunications Standards Institute (ETSI) European Standard (EN) 303 645 v2.1.1, but it does states that the government may over time add additional requirements.

The proposal sets out 3 key security requirements which manufacturers should consider:

  • Requirement 1 – Ban universal default passwords in consumer smart products
  • Requirement 2 – Implement a means to manage reports of vulnerabilities
  • Requirement 3 – Provide transparency on for how long, at a minimum, the product will receive security updates

The intention is that legislation will align with that of existing legislation as set out in the General Product Safety Regulations 2005. These regulations define the entities who will have to comply with the legislation and what their obligations will be; these entities are namely ‘Producers’ (which includes manufacturers and importers) and ‘Distributors’. Simply, the ‘Producers’ are prohibited from supplying products which do not meet the security requirements. The ‘Distributors’ (which covers retailers and online ‘marketplaces’) will have a duty of care to ensure products they make available meet the security requirements.

Should a non-compliance be observed, the indicative approach may involve a notification to the manufacturer requesting a response for action, such as bringing the product into compliance. Further non-compliance may attract more severe actions such as withdrawal from the market, forfeiture or financial penalties. The financial penalty could potentially be particularly severe, when understanding that other regulations are considering fines of up to 4% of annual worldwide turnover! The organisation which will be the enforcement body is not yet understood.

Global Legislation

However, this is just the start! Governments around the world are introducing legislation to ensure that only secure consumer products are placed on the market and this will continue to increase. Europe is certainly forward looking and thinking in regards to cybersecurity, as are countries like Singapore, Japan and the US; in fact, the US states of California and Oregon have introduced legislation which mandates that manufacturers of IoT devices shall equip them with “reasonable security features”, this also applies to all IoT devices not just consumer devices.

What next for manufacturers, producers or distributors?

Firstly, have a look at the Call for Views document and understand what it is about and if of interest complete the online survey to make a contribution to the governments legislative approach.

Online survey

If you want to know more about the assessment and testing of consumer products to European Standard (EN) 303 645 v2.1.1, please contact us.

Joe Lomako, Business Development Manager IoT at TÜV SÜD

 

IoT Device Cybersecurity | Penetration Testing

Next Steps

Select your location

Global

Americas

Asia

Europe

Middle East and Africa