The Product Security and Telecommunications Infrastructure (PSTI) Bill, was introduced to Parliament today (November 24th 2021).
The new law will require manufacturers, importers and distributors of connected devices to ensure they meet tough new cyber security standards – with heavy fines for those who fail to comply.
It will prevent the sale of consumer connectable products in the UK that do not meet baseline security requirements – including a ban on universal default passwords, transparency about security flaws and fixes, and the creation of a better public reporting system for vulnerabilities found in those products.
Proposed fines for firms that fail to comply have been set at £10 million or up to 4 per cent of global revenue.
SafeShark from the DTG
Set up through DCMS funding, SafeShark is a Joint Venture between DTG Testing and Connect Devices, backed by BSI to provide the leading independent certification for new IoT cybersecurity standards. SafeShark certification is designed to secure consumer trust and ‘Protect, Prepare and Enhance’ product, offer and brand position.
What does legislative compliance look like?
There are three security requirements for legislative compliance:
- All consumer internet-connected device passwords must be unique and not resettable to any universal factory setting.
- Manufacturers of consumer IoT devices must provide a public point of contact so anyone can report a vulnerability and it will be acted on in a timely manner.
- Manufacturers of consumer IoT devices must explicitly state the minimum length of time for which the device will receive security updates at the point of sale, either in store or online.
These requirements are a subset of a European IoT cyber security standard (ETSI EN 303 645) and associated test specification (ETSI TS 103 701).
Is this enough?
However, these represent a minimum baseline requirement for compliance and on their own are not enough to build trust around a product or brand.
DCMS has said the regulation is the first step on a journey, and it is undoubtedly the rock on which secure IoT can be built – but it is not, by any means, the entire solution. Compliance alone will not represent or demonstrate good practice, but the standard does. So, there is a unique opportunity for first movers to go beyond basic compliance and drive differentiation by forging trust with an ever more security-savvy consumer base. Proactive manufacturers will:
Protect your customers, your business, your investors, your reputation, and your brand position.
Prepare for the legislation and increasing consumer demand before this becomes a business-critical issue.
Enhance your products and brand early on, building a reputation and trust by taking a hard consumer protection stance.
SafeShark’s assessment process will incorporate the requirements in the ETSI test specification that have been classified as ‘Mandatory’. But it takes manufacturers beyond that, turning compliance into a competitive edge and combining accessibility and affordability using its automated Intercept software.
Preparation and protection
The UK Government has said the legislation will adapt over time to remain effective. Additionally, with European requirements also being developed, the SafeShark assessment process will ensure products are prepared for future developments, protecting customers, shareholders, and brand trust.
We are here to support manufacturers, help navigate the legislation, ease the burden of in-house testing and self-certification, and ensure your products demonstrate appropriate security certification.
Going beyond basic compliance, the BSI mark demonstrates a rigorous, objective, and independent verification of a connected device’s security – offering peace of mind to consumers and shareholders, and giving manufacturers a genuine, certified point of differentiation on shelf.
Our proprietary testing platform – Intercept – is the only pass/fail model in this market providing repeatable, objective results. Our UKAS-accredited lab in Central London – the UK’s only comprehensive testing and accreditation centre for digital TV devices and services – incorporates the DTG Testing Zoo, the world’s largest independent collection of connected televisions and devices and our team of dedicated expert technologists.
SafeShark’s best-in-class service ensures the device is subjected to continuous testing, throughout its market life to ensure our certification remains valid. The manufacturer and retailer remain informed and confident in the security credentials ultimately protecting the end consumer.
Where do I find out more?
Visit safeshark.co.uk for more information, to sign up for legislation updates or to book a call with one of the team.
Alternatively email [email protected]