Update on various requirements for IoT cyber security

The IEC Academy recently held a webinar with an update of present regulations and standards around the world for Internet of Things connected products, such as:

California SB-327 - A US state law that went into effect on 1 January 2020. The purpose of this law is to extend already existing privacy laws to connected devices and the information they collect, store, and transmit. It requires i.a. that the device should be designed to protect that information from unauthorized access, destruction, use, modification, or disclosure.

UK Product Security and Telecommunications Infrastructure (PSTI) – A legislative framework that came into effect on 29 April this year. It is designed to ensure that businesses involved in the supply chains of consumer connectable products are compliant with the new security requirements.

EU Cyber Resilience Act (CRA) – A new regulation by the European Commission that aims to improve cyber security and cyber resilience in the EU. It will apply to manufacturers and retailers of products with digital elements, extending throughout the product lifecycle.

ETSI EN 303 645 - A globally applicable European standard to establish a good security baseline for consumer IoT cyber security. Several supporting documents are available to assist in the evaluation, including ETSI TR 103 621, with guidance and examples of implementations for each test case, and ETSI TS 103 701 providing a conformance baseline for the test requirements.

EN 18031 standard series – A standard for cybersecurity finally published in August this year to support the European Radio Equipment Directive (RED). The standard has 3 parts covering the Articles 3.3 d), e), and f) of RED, covering -Network security, -Privacy and -Monetary transfers. Although not yet ‘harmonized’, it is the standard to use for RED compliance. (On 5 December, Nemko provides a full day course on EN 18031, ref.
Upcoming events below).

Cyber Assured V2.0 2022 - A branded testing program published by the UK National Cyber Security Center for consumer IoT products. The program provides comprehensive, risk-appropriate IoT security testing for connected consumer products, continuous vulnerability monitoring, a certification mark, and an external website.

Australian Cyber Security Bill 2024 – The draft was on public hearing until 14 November and is expected to be adopted within this year with a 1-year introduction period.
Under the Cyber Security Bill, responsible entities will be required to manufacture and/or supply smart devices in Australia in compliance with the relevant security standard for the specified device. Responsible entities will be required to provide a statement of compliance if requested by the Secretary of the Department of Home Affairs.

For further information, please contact Geir.Horthe@nemko.com

(The article is based mainly on an IEC Academy course 3 October and edited by T.Sollie)