Digital TV Group (DTG), the centre for UK digital TV, have announced plans to launch a cyber security conformance scheme building on the UK Government’s Secure by Design programme. The aim of the scheme is to provide consumers and retailers with the confidence that their connected devices are protected against cyber attacks.
Minister for Sport, Media and Creative Industries Nigel Adams said:
“As more of our technology becomes digitally connected, it’s vital that products are secure from cyber threats at the design stage. It’s great that the Digital TV Group are taking this seriously and setting up their own assurance scheme for smart TVs that builds on our world-leading Internet of Things security Code of Practice. This is a positive step forward and another incentive for manufacturers to take cyber threats seriously and not bolt it on as an after-thought.”
Manufacturers will be able to display the SBD conformance mark on a product if it meets the minimum requirements and receives certification that it is adequately secure. The SBD conformance specifications will be developed based on the Government’s Code of Practice for Consumer IoT Security, published in October 2018, and corresponding ETSI standard TS 103 645.
The first three guidelines in the Code of Practice, which will be the initial/primary focus of the scheme are:
- No default passwords – All IoT device passwords shall be unique and not resettable to any universal factory default value.
- Implement a vulnerability disclosure policy – All companies that provide internet-connected devices and services shall provide a public point of contact as part of a vulnerability disclosure policy in order that security researchers and others are able to report issues. Disclosed vulnerabilities should be acted on in a timely manner.
- Keep software updated – Software components in internet-connected devices should be securely updateable. Updates shall be timely and should not impact on the functioning of the device. An end-of-life policy shall be published for end-point devices which explicitly states the minimum length of time for which a device will receive software updates and the reasons for the duration of the support period. The need for each update should be made clear to consumers, and an update should be easy to implement. For constrained devices that cannot physically be updated, the product should be isolatable and replaceable.
The DTG’s next steps are to work with its members to develop the SBD scheme and launch it for consumer electronics related to the TV industry initially. A full list of included product types will be confirmed later.
Dr Ian Levy, National Cyber Security Centre (NCSC) Technical Director, said:
“The IoT Code of Practice was the culmination of work carried out by the NCSC and DCMS in partnership with industry and academia, and it’s great to see DTG building on it in this way.
“The DTG’s conformance scheme will give consumers the confidence that the technology they are bringing into their homes is safe, and I hope it is the first of many industry initiatives based on the Code.”
Richard Lindsay-Davies, CEO for DTG, said:
“The DTG will lead the way by helping our industry to navigate the increasingly complicated policy and regulatory environment and, in doing so, help protect both consumers and industry as IoT increasingly permeates our daily lives.
The UK SBD scheme will be developed with industry, with the support of Connect Devices Ltd and other partners, ultimately increasing consumer confidence in device security. We look forward to engaging with industry as we build on the DTG’s work from over the past two decades, helping manufacturers provide consumer-trusted products as we continue to grow with the industry as technology evolves.”