How kitemarks are kicking off IoT regulation
Regulation of the Internet of Things (IoT) has always been a contentious subject. Those against claim it stymies growth of a nascent industry, while those advocating for it argue it sees the adoption of industry best practices and helps establish standards.
In an effort to straddle the divide, the Department for Digital, Culture, Media and Sport (DCMS) launched its Code of Practice back in 2018. Enshrined in this were 13 “Secure by Design” principles aimed at helping manufacturers put in place security controls and offer a base level of customer care. The Code of Practice was voluntary and without any repercussions, so therefore toothless, which is why many believe its adoption was lackluster.
Yet a lot has happened since 2018. The EU, via ETSI, introduced EN303 645, the first globally-applicable industry standard on internet-connected consumer devices in 2020 based on the Code of Practice. This sees manufacturers or an appointed third party provide documentation on the device under test (DUT), an Implementation Conformance Statement (ICS) and Implementation Extra Information for Testing (IXIT).
The DUT is then assessed under ETSI TS 103 701 guidelines which detail the tests and methodology to be used for assessing devices against EN303 645. This took us that much closer to a real de facto standard for the IoT.
A line in the sand
Later the same year, the UK government admitted that “too many insecure consumer connected products remain on the market and we need to take steps”. A consultation followed, leading to the draft of the Product Security and Telecommunications Infrastructure (PSTI) Bill, which focuses on IoT security, 5G and broadband.
The PSTI takes only the top three guidelines from the Code of Practice which are also in EN303 645: a ban on universal default passwords, the means to manage vulnerability reporting and a minimum duration for security updates. These are the practices which are regarded as presenting the biggest risks to IoT security, but this narrow focus has also seen a barrage of criticism levied at the legislation. Yet, realistically, these requirements were only ever meant to draw a line in the sand. The idea is to start with these controls before introducing other requirements further down the line, such as data protection, securely designed software/hardware, privacy, resilience, and user support.
Formerly announced in the Queen’s Speech in May, the PSTI is expected to be passed in to law in 2023 when it will come into force across the whole of the UK. However, many of those who took part in the consultation think it will take them up to two years to become fully compliant. That view was echoed in a report by the Internet of Things Security Foundation, which found 79 percent of firms are expected to fail anticipated regulations.
Assurance as a trailblazer
While the government was happy to put its weight behind the PSTI, it stopped short of mandating product assurance. For now, it will remain voluntary, although the law does include provision to mandate at a later stage. But it’s this assurance that is now leading the way. The DCMS helped fund the roll out of assurance schemes leading to IASME launching its IoT Security Assured Scheme in 2021. It enables manufacturers to kitemark their products to demonstrate they’ve achieved a certain level of security.
The IASME scheme aligns with ETSI’s EN 303 645, the PSTI, and is also mapped to the IoTSF Security Compliance Framework. It features three levels of security: the Basic level essentially requires compliance with the PSTI/top three requirements of the ETSI standard, the Silver level compliance with ETSI mandatory requirements and data protection provisions, and the Gold level the ETSI mandatory requirements as well as all additional ETSI recommended requirements and data protection provisions. Those manufacturers meeting the criteria will be able to display the relevant badge on their IoT device.
Given the poor adoption of the Code of Practice, IASME wanted to ensure the barriers to entry were minimal, so the scheme aims to be affordable, desirable and achievable. It requires the applicant to work through eight categories of questions about the security controls in place on the connected device and any associated services. These cover issues including passwords and credentials, vulnerabilities and anomalies, software, secure configuration, communications, and usage of data.
A board member from the applying organization must then declare the claims are true before submitting the application via a portal for review by an approved assessor. This must all be done within six months. As the process is self-led up until this point, the assessor plays a crucial role in providing feedback from the user perspective and in helping the manufacturer to meet the necessary criteria to reach the desired level of certification. If all criteria are met and the assessor approves the application, accreditation can be awarded in as little as 24 hours.