Also online at: www.dijonline.co.uk 88 THE door industry journal winter 2024 Automated Gates & Barriers UK Internet of Things Supply Law Many people will likely now be aware of the vulnerability of internet-connected products, the so-called ‘internet of things’. Initially, these connected devices were mostly computers, phones, and printers, but today, a wide range of products are connected. The first to hit the headlines was the vulnerability of security cameras and baby monitors, rapidly followed by smart doorbells. dhf’s Senior Training & Compliance Officer, Nick Perkins, explains more: “To make the installation and set-up of these devices as straightforward as possible, many manufacturers had used simple default passwords that the consumer could change, but they had to proactively search for the appropriate settings; the vast majority did not. This meant those with malicious intent could gain that access to the system,” explains Nick. “The consequence of a malicious individual gaining access to these devices was two-fold, firstly, they could access private images and secondly, gain access to the wider network and potentially other machines and data on that network”. To address this vulnerability, in April 2024, the UK Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 came into force for the UK market. This legislation requires manufacturers, importers, and distributors to apply basic internet security to connectable internet products. It applies to all internet-connectable products that are not already covered by other legislation requiring them to be internet-secure. Exclusions based on ‘other legislation’ include electric vehicle chargers, medical devices, smart meters, and all laptop, desktop and tablet computers without cellular network connectivity unless exclusively designed for children under 14. All other internet-connectable products are potentially within scope on the basis that a consumer (at home or in a business) might be involved in their installation, setup and use. “For the door, gate, and barrier industry, this means that all internet connectable locking systems, opening and closing devices, automation systems, smart hubs for interconnectivity of things, cameras, and devices to enable remote access to control systems are now within scope and must comply,” continues Nick. These relatively new UK Regulations require manufacturers, importers and distributors to ensure the internet-connectable products they supply are protected in accordance with the first three requirements of section 5 of ETSI EN 303 645, these being: 5.1 - Passwords: universal default and easily guessable passwords must not be used. 5.2 - Reporting of security issues: a point of contact for reporting security issues must be provided and the person making the report must be kept updated until the reported security issue is resolved. 5.3 - Security updates: the product’s security must be supported/kept updated and the length of time for which this will be done must be declared. Whilst it is not a specific requirement of the new law to use ETSI EN 303 645, the Regulations do require that measures the standard describes must be achieved or exceeded. These Regulations are implemented in the UK in advance of similar legislation planned for EU markets. The product must be supplied with a Statement of Compliance that contains: • A product type or batch reference, • The name and address of the manufacturer or authorised representative, • A declaration that they have complied with the applicable security requirements in Schedule 1 of PSTI 2023, • The defined support period for the product, • A signature, name and function of the signatory, • The place and date of issue of the statement of compliance. “As there has been voluntary COP that implements all of the requirements of ETSI EN 303 645 in place in the UK since 2018”, concludes Nick, “manufacturers and suppliers would be wise to consider and work towards compliance with
RkJQdWJsaXNoZXIy Mzg2Nzk=