The UK government has published the final version of the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 providing manufacturers of IoT devices with clarity as to the security requirements which their products must adhere to.
The Regulations – a draft of which was published in July 2023 and discussed in an earlier blog post – are the second part of the regulatory regime initiated by the Product Security and Telecommunications Infrastructure Act 2022 (“PSTIA”).
The PSTIA gave the government powers to establish security requirements for “connectable products”. The Regulations now set out the detail of these security requirements.
What is a “connectable product”?
The PSTIA defines “connectable products” as either:
- a product which is capable of connecting to the internet; or
- a product which is not capable of connecting to the internet but (i) is capable of both sending and receiving data by means of transmission involving electrical/electromagnetic energy and (ii) meets one of the two ‘connectability’ conditions set out in section 5 of the PTSIA.
Some “connectable products” are however excluded by the Regulations. These excepted products include certain:
- products made available for supply in Northern Ireland;
- charge points for electric vehicles;
- medical devices;
- smart meter products; and
- desktop computers, laptop computers and tablet computers which do not have the ability to connect to cellular networks.
What are the security requirements?
The Regulations outline the mandatory password requirements for manufacturers to apply to the hardware and software of their connectable products. Passwords must:
- either be set by the user or unique per product. This is to prevent manufacturers applying the same default password to all their connectable products;
- not be based on “incremental counters” –manufacturers cannot ascribe the same password to each device with minor variations (e.g. password1, password2, password3);
- not be based on publicly available information. Similarly, they cannot be based on unique product identifiers (such as serial numbers) unless these product identifiers are encrypted in accordance with good industry practice; and
- not be otherwise guessable in a manner unacceptable as part of “good industry practice”. Good industry practice is defined as being the skill, diligence, prudence and foresight reasonably and ordinarily expected from a skilled and experienced cryptographer.
Reporting security issues
Under the Regulations manufacturers are required to specify a point of contact to whom security issues can be reported. In addition, a user must be provided with acknowledgment of their reported issue and status updates as to the issue’s resolution.
All information must be made in English, free of charge and in an accessible, clear and transparent fashion. It must also be provided without the user having to request the information and must not involve the requesting of the user’s personal information.
Minimum security update periods
The Regulations require manufacturers to make public the period for which they will provide security updates to their connectable products (referred to as a “defined support period”). Manufacturers must republish this information if the defined support period is extended. A manufacturer will fall beneath this security requirement if they subsequently shorten the defined support period.
Deemed compliance and links to international standards
The Regulations also set out a deemed compliance regime. Manufacturers will be deemed to be in compliance with the security requirements detailed above if they adhere to certain stated international standards.
A manufacturer will, for example, be in compliance with the security reporting requirements set out in the Regulations if their reporting provision meets the referred to requirements of ETSI EN 303 645 and ISO/IEC 29147. Adherence to certain standards set out in ETSI EN 303 645 relating to password security and minimum security update periods will also achieve deemed compliance.
The Regulations’ alignment of the security requirements with international standards reflects the growing role standards are playing in regulating technology. That said, the removal of ETSI from the European Commission’s standardisation request for the EU’s AI Act last December has led to some press speculation that there are concerns around its independence. It will be interesting to see therefore how much scrutiny standards come under given their prominence in technology regulation moving forwards.
Having now received parliamentary approval, the Regulations will come into effect on 29 April 2024. Manufacturers therefore have time to consider whether their products will fall under the definition of ‘connectable products’ and to prepare accordingly. Given, however, that the standards build on the base set by the UK government’s 2018 Code of Practice of Consumer IoT Security , and do not differ greatly from the draft legislation published earlier this year, there should be little in the new Regulations which should surprise manufacturers.