John Moor, Managing Director of the IoT Security Foundation, takes UC Advanced inside the UK’s world leading regulation. John talks directly to those companies that fall under the regulation.
The UK’s PSTI Act came into effect on 29 April 2024 and is a world-leading piece of legislation aimed at protecting consumers by enhancing the cybersecurity of internet-connected devices, ensuring key players in the supply chain meet minimum responsibilities.
‘PSTI’ applies to a wide range of consumer connectable products, including smartphones, laptops, smart home devices, and wearables. However, it excludes certain items like electric vehicle charging points, medical devices, and smart meters, as these are regulated elsewhere.
At its core, PSTI mandates three essential security requirements for manufacturers:
1 No more universal default passwords – each device must have a unique password or require users to set their own.
2 A vulnerability disclosure policy – manufacturers must establish a clear process for reporting and addressing security vulnerabilities.
3 Transparency about security updates – companies must inform consumers about the minimum duration for which their products will receive security updates.
These requirements aim to set a minimum baseline and address common vulnerabilities and failings in consumer-connected products.
Manufacturers are not the only companies in regulatory scope; importers, distributors, and retailers are also subject to PSTI – that is, any company that makes relevant products available to the UK market.
To give PSTI some teeth, there are significant penalties for non-compliance. Companies found in violation could face fines of up to £10 million or 4% of their global turnover, whichever is greater. The UK Office for Product Safety and Standards (OPSS) is responsible for enforcing these regulations.
It’s also worth noting that PSTI applies to all products made available to consumers after April 29, 2024, even if they were manufactured before the Act came into force. This means companies had to ensure their existing stock met the new requirements or risk being unable to sell them to the UK market.
In terms of the legal apparatus, the product security regime comes in two parts, the primary Act – which is durable – and the secondary legislation which subject to change and be reviewed no later than five year intervals. We will therefore see a review no later than April 2029. While compliance with PSTI is mandatory, forward-thinking companies may benefit from adopting a broader security mindset. By aligning with the Act’s origins in the ETSI 303 645 standard, businesses can prepare for future requirements, perhaps gaining an operational and competitive edge.
What have we learned since the PSTI was enacted?
From a personal perspective, I already knew regulation was difficult to get right yet I did not fully appreciate the complexity of mandating three very simple requirements. Let me elucidate a little to give you some insight.
The password requirement was included specifically to mitigate the threat of botnets – remove that threat and we’re off to a great start. Yet passwords are one method of authentication control – there may be better options for both users and security. It is beyond the scope of this article to delve deeper here but suffice to say, manufacturers should consider their options more broadly. Indeed, it has been pointed out that user-defined passwords can often be weaker simply because some may (and do) opt for easy-to-remember passwords. And manufacturers could opt to not have a password at all – this would make the device compliant but would defeat the regulation entirely!
Manufacturers will also have to carefully consider the defined support period they offer. Too short a period and that may put customers off, too long and it may pose a maintenance burden out-with the economics of the market. Generally speaking, consumer products move quickly hence most will likely opt for a range of 3-5 years. However, it is permissible to have no support at all – so long as it is publicised. Whilst the regulation calls for a specific end date (which can be extended), we have seen examples of a relative date – “2 years after the product’s end-of-life” – this is logical but not compliant with the regulation wording.
There are notably more nuanced issues that have arisen since April 29th last year yet I am out of space for this article. Cybersecurity is a movable feast and meeting minimum expectations through regulation must evolve with it as the practicalities unfold.
So what now?
IoTSF is currently helping UK Government understand the practical implications of the PSTI Act and we need your help – if you’ve anything to say – good or bad – please get in touch as we’d like to hear from you.
And in general, if you’re involved with provisioning cybersecurity in products or part of the compliance team, the IoT Security Foundation is not only a source of free information, it is also a community of like-minded professionals dedicated to making the connected world ‘safe to connect’. In particular for the PSTI Act we have a series of free quick guides and webinars. For those with a security mindset, our IoT Security Assurance Framework is internationally acclaimed and will not only inform you of what to do, but how to do it too – with utility beyond UK regulation. Those resources, along with our regular programme of webinars and conferencing, are all part of a programme to make sure we work together to address the wicked challenge of IoT cybersecurity.
In summary, the UK’s PSTI Act marks a pivotal moment in the regulation of consumer IoT security. By setting minimum security standards and enforcing compliance, the Act aims to create a safer digital environment for consumers while encouraging manufacturers to prioritise cybersecurity in their product development processes. However, we’re seeing examples of unintended consequences that must be addressed to ensure the regulation works as intended during the review – industry feedback is wanted.
