June 4, 2021
As consumers increasingly rely on connected Internet of Things (IoT) devices, from locks and baby monitors to connected appliances, they need to be able to trust that these devices are designed, built and managed over their lifetime with security and privacy in mind. According to IPSOS Research, U.K. consumer sales in smart devices have increased 49% since the start of the pandemic, yet today many remain vulnerable to cybersecurity attacks as evidenced by reports of cyberattacks scrolling across news tickers around the world. These cyber-breaches are made possible by software vulnerabilities that provide numerous entry points of attack.
To help address these vulnerabilities, the UK government's Department for Digital, Culture, Media and Sport (DCMS) in April published its response to feedback on proposals to regulate the cybersecurity of consumer IoT products. Then, on May 11, Queen Elizabeth in her State Opening of Parliament speech, which sets out the UK government’s agenda for the coming session, referenced the new UK Product Security and Telecommunications Infrastructure Bill in relation to safety for all. The bill helps ensure that smart consumer products, including smartphones and televisions, are more secure against cyber-attacks, protecting individual privacy and security. The planned UK legislative framework outlined in the bill demonstrates how manufacturers of IoT products must meet minimum security requirements and to declare and publish their conformity, and for retailers to verify manufacturers’ declaration of conformity.
“We are committed to making the UK the safest place to be online and are developing laws to put robust security standards in smart products from the start,” said Matt Warman MP, Minister for Digital Infrastructure.
Over the past year, UL has been engaged by DCMS as part of its consultation process. UL commented and gave feedback on DCMS’ proposals, provided a mapping to UL’s IoT Security Rating and offered how UL has the expertise to support manufacturers and retailers by verifying conformity to the proposed security requirements:
- Security updates: Customers must be informed at the point of sale of the duration of time during which an IoT product will receive security software updates.
- No default passwords: There will be a ban on manufacturers using universal default passwords that are often preset in a product’s factory settings and are easily guessable.
- Vulnerability disclosure: Manufacturers will be required to provide a public point of contact to make it simpler for anyone to report a vulnerability.
These security requirements are in line with the UK Code of Practice for Consumer IoT Security and the ETSI EN 303 645, the European standard that specifies provisions for the security of internet-connected consumer devices and their associated services. UL’s 5-level IoT Security Rating addresses these requirements and also covers additional security requirements or capabilities such as secure reset, secure communications and protection of sensitive information.
"It is fantastic to have UL backing our approach and this continued collaboration with industry will be vital to making sure retailers and shoppers can have confidence in the devices they buy and sell,” Warman said.
Based on emerging global industry consensus on baseline security capabilities, UL’s IoT Security Rating provides a differentiated product security rating and associated label. Upon successfully completing a security assessment, the evaluated product is awarded the achieved security level – Bronze, Silver, Gold, Platinum, or Diamond – which is displayed through the UL Verified Mark. The Mark can be placed on the product, product packaging or be promoted in the physical store or online retail environment.
“Security requirements as proposed by the UK are crucial and are starting to gain adoption by manufacturers and marketplaces globally as industry best practice for IoT cybersecurity,” said Isabelle Noblanc global vice president and general manager of UL's Identity Management and Security division. “UL’s IoT Security Rating supports manufacturers through verification that their products meet security as required in IoT security regulations and recommended in IoT security guidelines globally, a differentiated UL Verified Mark security label, and security level maintenance and evaluation on an ongoing basis by UL."
To learn more about connected product security, please visit UL’s IoT Security Rating information page.