Also online at: www.dijonline.co.uk 22 THE door industry journal summer 2023 Industry News Are You Ready for April 2024? The Product Security and Telecommunications Infrastructure Act 2022 received Royal Assent on 6th December 2022 and has been enacted into law. The government have now announced that companies have a period of a year to implement the changes put forth in the legislation, with compliance required by 29th April 2024. This law applies to all consumer IoT products, including but not limited to: • connected safety-relevant products such as door locks • connected home automation and alarm systems • Internet of Things base stations and hubs to which multiple devices connect • smart home assistants • smartphones • smoke detectors • connected cameras • connected fridges, washers, freezers, coffee machines Whilst consumer connectable products such as those listed above offer huge benefits for people and businesses to live better connected lives, to date the adoption of cyber security requirements within these products is poor - only 1 in 5 manufacturers embed basic security requirements in consumer connectable products, although consumers overwhelmingly assume these products are secure. Whilst connectable consumer products have previously had to comply with existing regulation to ensure that they will not directly cause physical harm from issues such as overheating, environmental damage or electrical interference, they have not been regulated to protect consumers from cyber harm such as loss of privacy and personal data. To close this regulatory gap, the government introduced the Product Security and Telecommunications Infrastructure Act. The Product Security and Telecommunications Infrastructure Act 2022 requires manufacturers, importers and distributors to ensure that minimum security requirements are met in relation to consumer connectable products that are available to consumers and provides a robust regulatory framework that can adapt and remain effective in the face of rapid technological advancement, the evolving techniques employed by malicious actors, and the broader international regulatory landscape. Many IoT products are still produced with a default password either commonly used (such as password) or easily obtainable online. Hackers know and regularly exploit this vulnerability. The PSTI legislation covers the following three main security features: • Consumer IoT devices will not be allowed to have universal default passwords This makes it easier for consumers to configure their devices securely to prevent them being hacked by cyber criminals • Consumer IoT devices will have to have a vulnerability disclosure policy This means manufacturers must have a plan for how to deal with weaknesses in software which means it’s more likely that such weaknesses will be addressed properly • Consumer IoT devices will need to disclose how long they will receive software updates This means that software updates are created and released to maintain the security of the device throughout its declared lifespan The regulatory framework The regulatory framework within the law enables the government to take a range of actions against companies that are not compliant with it by 29th April 2024. This includes: • Enforcement Notices: Compliance notices, Stop notices and Recall notices • Monetary penalties: the greater of £10 million or 4% of the company’s qualifying worldwide revenue • Forfeiture: of stock is in the possession or control of any manufacturer, importer or distributor of the products, or an authorised representative
RkJQdWJsaXNoZXIy Mzg2Nzk=