Published On: Fri, Jan 12th, 2024

BSI collaborate with Secured by Design on Secure Connected Device accreditation

The business improvement and standards company BSI is collaborating with Secured by Design, the official police security initiative, on the SBD Secure Connected Device accreditation, which helps companies demonstrate their compliance with the Product Security and Telecommunications Infrastructure Act legislation.

The Product Security and Telecommunications Infrastructure (PSTI) Act was enacted into law last December, with the government subsequently announcing that companies have until 29th April 2024 to implement the changes put forth in the legislation.

The PSTI Act applies to all consumer-connectable IoT products, including but not limited to, safety-relevant products such as door locks, home automation and alarm systems, smart doorbells and cameras.

Secured by Design’s (SBD) Secure Connected Device accreditation scheme, developed in consultation with the Department for Science, Innovation and Technology (DSIT), helps companies demonstrate their compliance with the legislation. The SBD IoT Device Assessment identifies the level of risk associated with an IoT device and its ecosystem, evaluating it and suggesting certification routes to help companies meet the Act’s requirements.

One such certification route is with BSI, with BSI’s Certificate of Conformity for Cyber Security for Consumer Internet of Things (IoT) being accepted into the SBD’s Secure Connected Device framework. BSI is the national standards body of the United Kingdom who produce technical standards on a wide range of products and services, also supplying certification and standards-related services to businesses.

The robust standards of SBD Secure Connected Device accreditation exceed government legislation by ensuring IoT products are appropriately assessed and certified against all provisions of the ETSI EN 303 645 European Standard, with an annual appraisal ensuring compliance with evolving government requirements and cyberthreats.

SBD National Manager Michelle Kradolfer said: “I am delighted to announce that we have included BSI’s Certificate of Conformity for Cyber Security for Consumer Internet of Things (IoT) into SBD’s Secure Connected Device framework. It provides companies another route for their products to be tested against all provisions of the ETSI EN 303 645 standard and prove their compliance.

“It is important for companies to ensure that their IoT products are built as securely as possible and an integral part of doing so is getting their IoT products appropriately assessed and accredited. Companies only have until 29th April 2024 to achieve compliance – which is now only five months away.

“By obtaining our Secure Connected Device accreditation and undergoing a testing and certification process, companies are sending a clear message on the importance of IoT security for their products, which will make them stand out from the crowd and inspire confidence from consumers.”

Carlos Perez Ruiz, Global Digital & Connected Product Certification Director at BSI said: “IoT technology offers huge opportunity across society, but building confidence in it is crucial. With BSI’s IoT Kitemark continuing to provide the highest levels of assurance for the cyber security of high-risk connected devices, we are pleased to extend our collaboration with Secured by Design with the addition of BSI’s Certificate of Conformity scheme into SBD’s Secure Connected Device framework.

“By means of a comprehensive third-party testing and certification scheme, more manufacturers of consumer connectable products have the opportunity to launch smarter and safer products to ensure a secure on-line environment and assure compliance ahead of the UK’s upcoming IoT product cybersecurity legislation, PSTI Act, coming in 2024.”

What do businesses need to do?

Businesses who produce or supply IoT connected products need to ensure that they are sighted on the new law and have taken the appropriate steps to ensure that they are compliant with its requirements.

These minimum security requirements contained within the law are based on the UK’s Code of Practice for Consumer IoT security, the leading global standard for consumer IoT security ETSI EN 303 645, and on advice from the UK’s technical authority for cyber threats, the National Cyber Security Centre.

The regime will also ensure other businesses in the supply chains of these products play their role in preventing insecure consumer products from being sold to UK consumers and businesses.

What are the penalties for not complying with the legislation?

The robust regulatory framework within the law contains an enforcement regime with civil and criminal sanctions aimed at preventing insecure products being made available on the UK market within it. This enforcement regime enables the government to take a range of actions against companies that are not compliant with the law by 29th April 2024. This includes:

  • Enforcement Notices: Compliance notices, Stop notices and Recall notices
  • Monetary penalties: the greater of £10 million or 4% of the company’s qualifying worldwide revenue
  • Forfeiture: of stock which is in the possession or control of any manufacturer, importer or distributor of the products, or an authorised representative