It is likely that many people will now be aware of the vulnerability of internet connected products; the so called ‘internet of things’. Initially, these connected devices were mostly computers, phones and printers, but today, a wide range of products are connected. First to hit the headlines was the vulnerability of security cameras and baby monitors, rapidly followed by smart doorbells. DHF’s Senior Training & Compliance Officer, Nick Perkins, explains more:
“To make the installation and set-up of these devices as straightforward as possible, many manufacturers had used simple default passwords that could be changed by the consumer, but they had to proactively search for the appropriate settings; the vast majority did not. This meant that access to the system could be gained by those with malicious intent,” explains Nick. “The consequence of a malicious individual gaining access to these devices was two-fold, firstly, they could access private images and secondly, gain access to the wider network and potentially other machines and data on that network.
To address this vulnerability, in April 2024, the UK Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 came into force for the UK market.
This legislation requires manufacturers, importers and distributors to ensure basic internet security is applied to internet connectable products. It applies to all internet connectable products that are not already covered by other legislation requiring them to be internet secure. Exclusions on the basis of ‘other legislation’ include electric vehicle chargers, medical devices, smart meters, and all laptop, desktop and tablet computers without cellular network connectivity, unless exclusively designed for children under 14. All other internet connectable products are potentially within scope on the basis that a consumer (at home or in a business) might be involved in their installation, set up and use.
“For the door, gate, and barrier industry, this means that all internet connectable locking systems, opening and closing devices, automation systems, smart hubs for interconnectivity of things, cameras, and devices to enable remote access to control systems are now within scope and must comply,” continues Nick.
These relatively new UK Regulations require manufacturers, importers and distributors to ensure the internet connectable products they supply are protected in accordance with the first three requirements of section 5 of ETSI EN 303 645; these being:
5.1 - Passwords: universal default and easily guessable passwords must not be used.
5.2 - Reporting of security issues: a point of contact for reporting security issues must be provided and the person making the report must be kept updated until the reported security issue is resolved.
5.3 - Security updates: the product’s security must be supported/kept updated and the length of time for which this will be done must be declared.
Whilst it is not a specific requirement of the new law to use ETSI EN 303 645, the Regulations do require that measures the standard describes must be achieved or exceeded. The implementation of these Regulations in the UK come in advance of similar legislation planned for EU markets. The product must be supplied with a Statement of Compliance that contains:
• A product type or batch reference,
• the name and address of the manufacturer or authorised representative,
• a declaration that they have complied with the applicable security requirements in Schedule 1 of PSTI 2023,
• the defined support period for the product,
• a signature, name and function of the signatory,
• the place and date of issue of the statement of compliance.
“As there has been voluntary COP that implements all of the requirements of ETSI EN 303 645 in place in the UK since 2018”, concludes Nick, “manufacturers and suppliers would be wise to consider and work towards compliance with all of the standard’s requirements because the UK legislation will most likely be updated at some point to implement further requirements from the standard into UK law.”
ETSI EN 303 645 can be accessed free of charge here: https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf
Join dhf
Enjoy the full benefits of dhf membership
Apply today
