So, it’s a lovely day outside, the sun is shining, and I’m sitting staring out of my home office window writing this article. So many of us now work from home since Covid forever changed how the world works, but is there an even bigger change on the horizon?
For me, IoT has the power to change the world in an innumerable and in inconceivable ways. The world in which we live, which was once so vast is getting smaller by the day. Information can now be sent around the world in milliseconds and the amount of data being created every day now numbers at over 1 trillion megabytes.
With this amount of data being generated the question we must ask is how we keep this data secure from would-be cyber criminals. The UK government’s answer to this question was to create a world-leading piece of legislation the Product Security and Telecommunications Infrastructure Act 2022 (PSTI).
What is PSTI you may ask and what does product security have to do with telecommunications infrastructure? Well, this is partly because this piece of legislation started life as two different pieces that as time moved on were melded together by the government. The second part of the act is about taking the Government’s ambition of upgrading the nation’s Internet and digital infrastructure and providing a management system that provides equally for the landowners and telecommunications providers.
What does PSTI hope to achieve then? Well, it enshrines in law a ban on the use of default passwords, a requirement for all companies to publish a vulnerability disclosure process to enable issues to be reported, and a commitment to publish the support period of the device.
Prior to launching PSTI, the Department for Digital, Culture, Media & Sport (DCMS) believed that while IoT consumer products offer huge benefits, implementation of cybersecurity measures and requirements in these products was sporadic with only one in five manufacturers embedding basic security protocols in their products. This lack of standardisation, paired with sometimes weak authentication, inadequate data encryption; lack of over-the-air updates and privacy concerns meant that PSTI has brought in a reckoning of sorts for standardisation of IoT devices.
And this is where the IASME IoT Cyber Certification was born. IASME’s certification was 1 of 3 IoT schemes given funding by the DCMS, the scheme was created with two goals in mind; to create a scheme that can show compliance with PSTI and to give consumers peace of mind that the products they were purchasing do embed basic protocols and adhere to best security practice.
The IASME scheme has two levels, Baseline and Assurance. The baseline scheme covers the 3 PSTI requirements whereas the Assurance level goes above and beyond this.
The EU Standard produced by the European Telecommunication Standards Institute (ETSI) is often referred to by its number, ETSI EN 303 645. This standard identified 13 groups of requirements and within the Assurance level, all 13 of those are required to be met for certification.
The assurance standard, in including all 13 requirements of the EN 303 645, helps businesses protect against any future increase in regulation too, if the government ever looked to increase the measures set out in PSTI, they would invariably look to EN 303 645 to do this.
The scheme is offered to all businesses from huge, multinational co-operations to tiny start-ups; the cost of certification is reflected in this with level 1 starting at £450 for a micro business. Unlike other certifications like Cyber Essentials, IASME Cyber Assurance or others like ISO 27001, the certification is per device, not company-wide.
The assessment process is very straightforward and can be started by downloading the question set from the IASME website for free, so you know what is expected before paying anything. Once you decide that you want to go ahead with certification, you can either come through IASME directly or one of our fully trained certification bodies, then you will get access to our online portal, using the Rizikon platform, to input all the information required.
This is then marked by one of our independent assessors, who will ensure this information is in line with the requirements; if there is any further information needed, they will reach out and discuss it with you. Once all the information is in order, we can issue your certification.
Moving onto level 2, the assessor would then look at conducting a functional test of your device, a review of the documentation such as vulnerability disclosure policies and speaking to staff involved with their device to ask, for example, does the device still offer a basic level of functionality during a network outage?
Once the assessor is satisfied that everything is in order, we can issue your level 2 certificate as well as marketing material to display on your company website to show your certification.
Then you can sit back and know your devices are as secure as they can be, that you are compliant with legislation and that your customer’s data is being protected. Or, you can explore further, we are also partnered with Secured by Design, the official Police Crime Prevention Initiative as a pre-requisite to their accreditation once achieving our level 2 you can apply to them to join their prestigious list of ‘Secure Connected Devices’.
Now, the former DCMS, DSIT have announced that all manufacturers have until the 29thApril 2024 to comply with this legislation or face enforcement actions.
The landscape for cyber regulation across the globe is only going to become more robust with regulations like PSTI coming in more countries, like NIS2 in the USA or the EU’s Cyber Resilience Act.
Get ahead of the curve now and get your device certified to ensure compliance and embed the best practices within your devices.
Jason Blake is the scheme manager for the IoT Certification at the IASME Consortium, joining in January 2023. He has a background in physical security, information security and then landed in IoT; a sector he is very passionate about.