According to a 2020 report by the Internet of Things Security Foundation, only 1 in 5 manufacturers include security requirements in their consumer connectable products, leaving consumers open to risk. With this in mind, the UK government has introduced the Product Security and Telecommunications Infrastructure (PSTI) Act, an upcoming cybersecurity regulation. This legislation seeks to bolster the security of consumer connectable products by imposing minimum security requirements manufacturers must adhere to.
In this article, we will delve into the details of the PSTI Act, discuss the compliance implications for manufacturers, and explore the new powers it grants to enforcement authorities.
The PSTI Act goes into effect on April 29, 2024. After that date, manufacturers of consumer connectable products (also called Internet of Things or IoT devices) must comply with the security requirements laid out in the Act.
The PSTI Act’s goal is to ensure that consumer connectable products are more secure against cyber attacks.
The PSTI Act also works to create an enforcement regime in order to prevent cyber-insecure products from being sold in the UK.
The PSTI Act was officially signed into law in 2022, and the full PSTI Regulations will go into full effect on April 29, 2024. The new regulation marks a new era for cybersecurity in the UK, as it mandates the creation of new minimum security requirements that manufacturers, importers, and distributors of consumer connectable products must comply with.
Consumer connectable products include products that are connectable to the internet or other communication networks, such as smartphones, laptops, smart home devices, and wearables. These products have become ubiquitous in consumers’ daily lives, but many lack cybersecurity features, making them a primary target for cybercriminals. The PSTI Act aims to mitigate these risks and protect consumers by ensuring that manufacturers incorporate security measures into their products.
Part 1 of the Act focuses on product security, while Part 2 of the Act focuses on improvements to telecommunications infrastructure. This article focuses solely on Part 1.
New security requirements that manufacturers must adhere to are laid out in Schedule 1 of the PSTI Regulations 2023.
For example, the regulation lays out requirements for manufacturer-created passwords, such as the requirement that the passwords must either be user-created or must be unique for each individual product.
In summary, the security requirements in the PSTI Act are as follows:
Default passwords, or easily-guessed passwords, are banned.
Products must have a “vulnerability disclosure policy.” The Act requires manufacturers to put measures in place that allow those outside the company to report vulnerabilities in a product, and to publish information about this reporting process.
Products must provide information to consumers about how long their products are supported by security updates. Schedule 2 of the PSTI Act requires that this information be expressed in language that consumers who lack technical knowledge can understand.
Manufacturers, importers, and distributors of consumer connectable products need to follow the security requirements laid out by this law. The Act also requires these individuals to ensure their product comes with a statement of compliance and to take action if there’s a problem with meeting those security requirements.
Products that can be connected to a network or internet are under the scope of this regulation. These are the Internet of Things devices, that include, but are not limited to:
Connected cameras, TVs, and speakers
Connected children’s toys and baby monitors
Connected safety-relevant products such as smoke detectors and door locks
Internet of Things base stations and hubs to which multiple devices connect
Wearable connected fitness trackers
Outdoor leisure products, such as handheld connected GPS devices that are not wearables
Connected home automation and alarm systems
Connected home appliances like smart refrigerators
Smart home assistants
It is also important to know that the following devices are excluded from the UK PSTI Regulations:
Charge points for electric vehicles
Medical devices (if they fall under the MDR)
Smart meter products
Computer products like desktop, laptop and tablet computers which do not have the capability to connect to cellular networks.
The PSTI Act introduces a self-declaration system overseen by market surveillance authorities. Manufacturers must declare their adherence to the law through a statement of compliance, which must include the information outlined in Schedule 4 of the PSTI Regulations. This implies the necessity to perform a conformity evaluation of connectable products in a competent way, before undersigning the statement of compliance.
The Secretary of State is granted powers to examine products and probe instances of non-compliance. Manufacturers falsely claiming compliance may face penalties as a result of investigations. The monetary penalties manufacturers that fail to comply may face are described in Part 1, Chapter 3, Section 36 of the PSTI Act. The maximum penalty is either £10 million or “4% of the person’s qualifying worldwide revenue for the person’s most recent complete accounting period” – whichever is greater. The Act also provides the Secretary of State to publicly publish information on compliance failures and the power to recall products that do not comply.
QIMA, through the accredited cybersecurity laboratory of CCLab, offers assessments, testing, certification and consultation to help manufacturers, importers, and distributors effectively demonstrate compliance with Part 1, the product security requirements, of the PSTI Act. We guide you through every step of the compliance process, allowing you to sell your products on the UK market with peace of mind. Work with CCLab to ensure compliance, avoid recalls, and protect your brand reputation.