During the past weeks, on both sides of the Atlantic, important legislations have been in the pipeline that aim at making consumer IoT products more cyber secure.
EU: Delegated Act to the Radio Equipment Directive
On 29. October 2021, the European Commission adopted the Delegated Act on Cybersecurity to the Radio Equipment Directive (RED), which aims to improve the cybersecurity of wireless devices available on the European market. To defend consumers from cyber threats and protect their privacy and personal data, the act lays down new legal requirements for cybersecurity safeguards, which manufacturers will have to take into account in the design and production of the concerned products. The act is a step in establishing a comprehensive set of common European cybersecurity standards for wireless products (including connected objects) and services.
The proposed measures cover wireless devices such as mobile phones, tablets and other products capable of communicating over the internet; toys and childcare equipment such as baby monitors; as well as a range of wearable equipment such as smartwatches or fitness trackers.
The delegated act will be complemented by a Cyber Resilience Act, aiming to cover more products, looking at their whole life cycle. Both acts are part of the new EU Cybersecurity Strategy that was presented in December 2020.
If no objection is raised by the European Parliament and the Council, the delegated act will enter into force end of December 2021, after which manufacturers will have a transition period of 30 months to start complying with the new legal requirements, i.e. they will not become applicable before mid-2024, in order to respect the timeline of industrial processes. The delegated act will be applicable to any manufacturer that intends to place a product on the EU market.
The European Standardisation Organisations will be requested to develop the relevant standards the manufacturers will have to comply with. The standards will be developed with the participation of industry and will be assessed by the Commission against the essential requirements laid down by the EU legal framework.
Before placing their products on the EU market, manufacturers will either have to perform a conformity self-assessment – if their product has been designed in accordance with harmonised standards or will have to get a third-party assessment performed by an independent inspection body, regardless of whether or not a harmonised standard was used.
The delegated act only sets out essential requirements. Manufacturers are free to choose the technical specification to comply with the legal requirements. National Market Surveillance Authorities will be responsible for ensuring that only safe and compliant products are placed on the market.
As the act will not apply to devices, which come to market before the act comes into force mid-2024, it will take quite some time before European consumers will be widely protected against cyber threats.
The full text of the delegated act can be downloaded from: https://ec.europa.eu/growth/system/files/2021-10/C_2021_7672_F1_COMMISSION_DELEGATED_REGULATION_EN_V10_P1_1428769.PDF.
United Kingdom: Product Security and Telecommunications Infrastructure (PSTI) Bill
On 24. November 2021, the UK government introduced the Product Security and Telecommunications Infrastructure (PSTI) Bill to the UK Parliament.
Part 1 of the bill covers the Product Security measures. It aims to protect consumers of all connectable products from cyber harm such as loss of privacy and personal data.
Under the bill, a consumer connectable product is an internet-connectable or network-connectable product, like smart TVs, smartphones and speakers, children’s toys and baby monitors, safety-relevant products such as smoke detectors and door locks, wearable fitness trackers, home automation and alarm systems, connected appliances, such as washing machines, fridges and smart home assistants. Any “connectable” product will be subject to the new rules. The only major exemption is for desktop and laptop computers as they are served by a mature antivirus software market.
The security requirements will:
- Ban the use of default passwords. All devices must come with unique passwords and cannot be resettable to any universal factory setting.
- Require manufacturers to alert customers at the point of sale, and keep them updated, about how long a product will receive vital security updates and patches. If there are no such plans in place, that must also be disclosed.
- Require products to have a vulnerability disclosure policy. A point of contact must be made available to make it easier for security researchers and others to report when they discover flaws and bugs in products.
The law will apply not only to manufacturers but also to other businesses including both physical shops and online retailers. Retailers will be forbidden from selling products to UK customers unless they meet the security requirements and will be required to pass on to customers important information about security updates.
The new cyber security regime will be overseen by a regulator, which will be designated once the bill comes into force and will have the power to fine companies for non-compliance up to £10 million or four per cent of their global turnover, as well as up to £20,000 a day in the case of an ongoing contravention.
Once the bill passes both houses and receives royal assent, the government will provide at least 12 months’ notice to enable manufacturers, importers and distributors to adjust their business practices before the legislative framework fully comes into force.
Part 2 of the bill covers the Telecommunication Infrastructure measures and will make changes to the Electronic Communications Code, providing the necessary legal reforms to support the nationwide rollout of 5G networks.
The full text of the bill can be downloaded from: https://bills.parliament.uk/publications/43895/documents/1050.
USA: National Institute of Standards and Technology (NIST) – Cybersecurity Labelling for Consumers: Internet of Things (IoT) Devices and Software
On 12 May 2021, President Biden signed an Executive Order to modernize and implement stronger cybersecurity standards, improve software supply chain security, and protect federal government networks.
Section 4 of the Executive Order directs the National Institute of Standards and Technology (NIST) to initiate two labelling programs: one to take into account existing labelling programs on cybersecurity capabilities of Internet-of-Things (IoT) consumer devices and one on software development practices. NIST also is to consider ways to incentivize manufacturers and developers to participate in these programs. (The agency also received several other directives to enhance the security of the software supply chain.)
In August, NIST released a white paper for public comment recommending a draft set of potential baseline security criteria for IoT devices. On 2 December 2021, taking public feedback into account, NIST released a further discussion paper “Consumer Cybersecurity Labelling for IoT Products: Discussion Draft on the Path Forward”. It has identified three key elements that could provide the foundation for an approach to a cybersecurity label for consumer IoT devices:
- What cybersecurity capabilities the product must demonstrate (Product Criteria)
- How the information is provided (Labelling Recommendations)
- How there can be confidence in the label (Conformity Assessment)
These three elements combined form a labelling approach that provides information to consumers with appropriate assurance.
This latest discussion draft can be downloaded from: https://www.nist.gov/system/files/documents/2021/12/03/FINAL_Consumer_IoT_Label_Discussion_Paper_20211202.pdf.
NIST is to publish details about the IoT cybersecurity criteria for a consumer labelling program (and the secure software development practices) by February 6, 2022.
IoTAC will assess the requirements defined in these documents and will adopt solutions and technologies, which will let the IoTAC modules comply with the new regulations.