The Product Security and Telecommunications Infrastructure Act 2022 received Royal Assent on 6th December 2022 and was enacted into law. The government have now announced that companies have period of a year to implement the changes put forth in the legislation, with compliance required by 29th April 2024.
How to get your IoT product SCD accredited
What is the SBD ‘Secure Connected Device’ accreditation?
The Secured by Design 'Secure Connected Device' accreditation scheme is for companies providing IoT connected products and services. It demonstrates that their products have achieved the appropriate and relevant IoT standards and certification from an SBD recognised certification body, thus meeting SBD requirements and providing customers with security assurance.
Why was it introduced?
It was introduced for several reasons. The first being that the Government published the Code of Practice for Consumer IoT Security back in 2018, which was developed by the Department for Digital, Culture, Media and Sport (DCMS) and sets a benchmark of best practice for manufacturers to follow when developing IoT products for the UK market. This was influenced by the ETSI EN 303 645 standard, as well as other IoT related standards.
The Government have introduced new legislation, the Product Security and Telecommunications Infrastructure (PSTI) Bill, which will:
- Ensure that consumer connectable products are more secure against cyber attacks, protecting individual privacy and security
- Require manufacturers, importers and distributors to comply with new security requirements relating to consumer connectable products
- Create an enforcement regime with civil and criminal sanctions aimed at preventing insecure products being made available on the UK market
Secondly, with the increase in available IoT products and a growing ecosystem of interconnected devices, cyber criminals are targeting and exploiting vulnerabilities of the products and within apps.
This, coupled with growing demand from industry and current members seeking to gain SBD accreditation for products, has led SBD to launch the ‘Secure Connected Device’ accreditation scheme to help manufacturers develop safe IoT products that consumers can use with confidence.
Our aim is simply to prevent crime, which includes criminal activity in the cyber world.
We want to help companies get their IoT products appropriately assessed and certified against all 13 provisions of the ETSI standard, a requirement that goes beyond the Government’s legislation, so that companies can not only demonstrate that they have achieved the appropriate certification, but importantly protects our member companies, their customers and the public.
We have developed the Secure Connected Device scheme in consultation with DCMS. DCMS supports industry schemes which help consumers make better informed choices when buying connectable devices.
What is the process for accreditation?
Our IoT Device Assessment identifies the level of risk associated with an IoT device and its ecosystem and based on the results of the assessment, we can advise companies of the appropriate level of certification they need to achieve with one of our SBD approved certification bodies.
Once third-party testing and independent certification for a product has been achieved, the company can then apply to become SBD members, with the product receiving the SBD ‘Secure Connected Device’ accreditation.
Requirements to obtain the Secure Connected Device accreditation are:
1 IoT products and services need to have achieved the appropriate and relevant IoT standards and certifications conducted by an SBD recognised certification body.
2 The certificate needs to be assessed against all 13 provisions of the ETSI EN 303 645, which goes beyond the 3 provisions being legislated by the UK government.
3 It is required for the assessment to be undertaken by one of the certifying bodies – we do not accept self-assessed certificates.
4 IoT products or services need to be assessed on an annual basis (every 12 months).
5 If you are looking for SBD membership and accreditation for a security product or service which has an IoT element to it, it will be a requirement to not only meet traditional physical security standards, but to also meet the requirements of the ‘Secure Connected Device’ accreditation scheme.
Enquiry into SCD accreditation and SBD membership for your IoT product.
If product is in scope for the SCD scheme, an loT device assessment is conducted to determine the appropriate certification route for your product.
Based on the results, you will be given a recommended certification route that you need to achieve with one of our SBD approved certifying bodies.
Complete and achieve third party testing and independent certification with one of our SBD approved certifying bodies.
Apply for SBD membership and gain SCD accreditation for your product.
What are the benefits of the Secure Connected Device accreditation?
SBD represents a powerful, trusted police brand and the ‘Secure Connected Device’ accreditation is the only way for companies to obtain police recognition for their IoT products in the UK
Compliance with the ‘Secure Connected Device’ accreditation sends a clear message to the wider industry of the importance of IoT security
SBD member companies accredited to this new SBD standard will lead by example and be at the forefront of the IoT revolution and in doing so will help to keep their customers and the public safer from the risk of a cyber breach
How do I apply?
To enquire about gaining the Secure Connected Device accreditation and becoming an SBD member company.
Whilst the level of assurance provided by this accreditation significantly exceeds that currently recommended by government, any claim to protect against 100% of risks is not being made. You are reminded that it is your responsibility to ensure that you have the level of security commensurate for its intended use and associated security threat(s).