Press and Media

21 May 21

UK Government intention to introduce legislation on the cybersecurity of connected Consumer Products

On the 21st April 2021 the UK government announced its intention to legislate the cyber security of “connected” devices to protect the UK consumer from unsecure connected products.

This intention was also further supported with a reference in the Queens speech to Parliament and the subsequent government Background Briefing Notes which outlays the forthcoming Product Safety and Telecommunications Infrastructure Bill.

Examples of Consumer products under the scope of this legislation include devices such as Smart TVs, Toys, baby monitors, cameras and wearables. Although interestingly laptops and desktop computers are considered as out of scope, but this may change in the future.

UK regulations already exist for consumer products such as the Electrical Safety regulations and Radio regulations, but this is additional legislation which aims to protect the consumer by ensuring that consumer internet connected products comply with a minimum baseline of cyber security.

In 2020 the government ran a call for views on proposals for domestic UK legislation and those views have been assessed and the Government response has been published.

View call for views response 

This announcement and associated documents provide an overview of the government’s updated policy intentions for the proposed legislation to regulate the cyber security of consumer connected products. It does however make a cautionary statement at this stage, “The indicative detail should not be interpreted as final legislative text, or representative of what the legislation would look like when brought into force”. It also states that the “The government will now legislate, when parliamentary time allows”.

From these statements, it can therefore be assumed that the details of the legislation, and when it will be finalised, cannot be determined or even speculated at this stage. What can be assumed with certainty is that legislation is coming and that manufacturers of consumer network connected devices need to make preparations to ensure they comply with that legislation when it does indeed arrive.

As already stated, the UK legislation pivots around several policy objectives directed at protecting citizens, networks and infrastructures, whilst adopting a proportionate approach without compromising effectiveness.

Although the intended legislation is yet to be fully defined and formalised, 12 key policy positions have been presented which underpin the governments intended legislation. These policy positions cover details such as the scope of the intended legislation, to responsibilities of economic actors (manufacturers and distributors), as well as how the legislation is to be enforced.

The intended legislation is derived from the published ETSI Standard EN 303 645 which defines 13 security provisions. However, presently, only the first 3 provisions are being considered. These are namely:

• Ban universal default passwords
• Implement a means to manage reports of vulnerabilities
• Provide transparency on for how long, at a minimum, the product will receive security updates

The number of provisions which are to be applied may possibly increase in the future.

Whilst we wait for the legislation to be mandated it is prudent to understand that responsibility lies with the manufacturer or entity placing the product on the market, and that they must ensure that a good level of security is designed in and that the consumer is protected. Leaving it till the actual legislation becomes mandatory could be too late for some organisations, and indeed the consumer, with breaches causing irrevocable damage personally, to business or to reputation.

Therefore, although the legislation may be some time away it is vitally important that manufacturers employ the principle of Secure by Design and design in good, strong security now! Furthermore, that security needs to be benchmarked through assessment, testing and auditing. The testing principles are common amongst standard approaches so even in the absence of mandatory legislation or scope specific standards, due diligence can be shown now through testing which will give manufacturers a competitive edge as regulation ultimately becomes mandated.

One final thought. Security is not a one-off task in IoT. It is an ongoing process to ensure that the security status of a device remains current and robust, enabling business and product continuity.

Diligence is paramount in securing the IoT!

How can TÜV SÜD Help?

TÜV SÜD has a global network of cybersecurity hubs, providing testing and assessment to published cybersecurity standards for both consumer and non-consumer (industrial) IoT devices. These include:

• EN 303 645 (implementing the TS 301 701 methodology) – Cyber Security for Consumer Internet of Things: Baseline Requirements
• UK (Intended) legislation – Referencing EN 303 645
• NIST.IR 8259 - IoT Device Cybersecurity Capability Core Baseline – Guidelines
• Bespoke Solutions: offering the above as baseline, but which may also include more rigorous assessment

 

References

https://www.gov.uk/government/news/new-cyber-security-laws-to-protect-smart-devices-amid-pandemic-sales-surge
https://www.gov.uk/government/publications/regulating-consumer-smart-product-cyber-security-government-response/government-response-to-the-call-for-views-on-consumer-connected-product-cyber-security-legislation
https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/986770/Queen_s_Speech_2021_-_Background_Briefing_Notes..pdf