The 10 things you need to know about the UK's new plans for IoT and smart devices

"Despite over 20 billion of smart devices in circulation, fewer than 15% meet basic cybersecurity standards."

Further to its Code of Practice for IoT devices in 2018, and its Consultation on regulatory proposals on consumer IoT security in 2019, the UK government published today its legislative proposals and "Call for Views" regarding cybersecurity of smart devices.

Despite over 20 billion of smart devices in circulation, fewer than 15% meet basic cybersecurity standards. These devices include home security, babycam, smart watches, smart speakers, connected dolls, smart assistants, kitchen appliances or cameras. Basically anything with the word "smart" in front of it or connected to the internet!

So what do you need to know?

1. The UK government has been flexing its muscles on this topic for the past 2 years and this is the final stretch before the guidelines become law. So if you had put the previous governmental messages into the "not urgent" box, it is time to move them to the "attend to now" one if you want to continue supplying/selling IoT devices into the UK!

2. If you want to contribute to this debate on smart device cybersecurity, this is your chance – deadline is: 23:59 (GMT) on Sunday 6 September 2020.

3. Once finalized, these new security standards will apply to all consumer smart products sold in the UK, bar a few exceptions (see n.4 below).

4. Smart meters, automotive vehicles, medical devices (e.g. connected pacemakers and hearing aids – BUT smart watches/fitness app with limited medical device functionality are in scope!) and smart chargepoints are out of scope as they are already (or will be soon) covered by other legislation.

5. This new law will apply to both smart device manufacturers and distributors.

6. If the manufacturer is not based in the UK, this law will apply to its UK representative and if there is none, to the importer of the product.

7. Distributors, i.e. anyone who makes a product available on the UK market, of smart devices will be under a "duty of care" to only supply/make available products that meet the security requirements (see n.8). Marketplaces or platforms for consumer sales online will also be considered distributors!

8. All smart devices must adhere to 3 cybersecurity baselines (these were already in the guidelines so will make it into law – no doubt – integrate these now to your products):

   (a) Device passwords must be unique and not resettable to any universal factory setting;

   (b) Manufacturers must provide a public point of contact so anyone can report a vulnerability;

   (c) Information stating the minimum length of time for which the device will receive security updates must be provided to customers.

9. What if you do not comply? Potential enforcement actions could include:

   (a) temporary ban of the product while tests are undertaken

   (b) permanent ban of insecure products

   (c) service of a recall notice

   (d) courts get involved and can order confiscation or destruction of the smart device or issue a penalty notice imposing a fine directly on the infringing business

10. This legislation will be "technology agnostic" to ensure that it is future proofed.

Obviously there is a bit more in the full text but these are the key points. If you want to review the entire UK government's Call for Views here it is: https://www.gov.uk/government/publications/proposals-for-regulating-consumer-smart-product-cyber-security-call-for-views/proposals-for-regulating-consumer-smart-product-cyber-security-call-for-views#scope-of-regulation
As usual, please reach out if you want to discuss further or need help implementing these into your products and processes.