James Harding explores the forthcoming Product Security and Telecommunications Act. He asks how it would protect the public from IoT flaws and what technical measures market participants need to enact.

The Product Security and Telecommunications Act 2022 (PSTI) marks a pivotal advancement in UK Internet of Things (IoT) legislation. As you read on, we’ll focus on enhancing the security of connectable consumer products, commonly called IoT or smart devices.

The PSTI Act received royal assent in December 2022, following which the government published a complete draft in April 2023. The regulations were signed into UK law on the 14th of September 2023.

To enable affected manufacturers, importers and distributors time to comply with the new Act, a 12 month grace period was allowed before the regulations were enforced — a grace period which lapses in April 2024, with the legislation enforced from the 29th of April 2024.

The PSTI Act is primarily concerned with consumer-connectable products, defined as devices capable of internet or network connections for digital data transmission and reception. Although the main focus is on consumer products, specific business-to-business connected devices also fall under this legislation. Similarly, a small subtype of consumer-connected devices are exempt from the Act to prevent the occurrence of double regulation. To ensure compliance, the connectable product ecosystem stakeholders must familiarise themselves with and comply with the Act.

Key requirements of PSTI

The legislation introduces three fundamental cybersecurity measures aligned with the first three requirements of the ETSI EN 303 645 standard, recognised globally as the IoT Security Standard. These three requirements are:

  • Passwords: mandates unique passwords per device or allows user-defined passwords; there are no universal default passwords
  • Security issue reporting: mandates manufacturers to provide explicit instructions to consumers on when and how to report product security concerns
  • Security updates: mandates manufacturers to disclose the minimum period for security updates availability

Additionally, the Act mandates record keeping of compliance investigations, underscoring the importance of documentation in maintaining security standards.

Further detailed requirements are also outlined in the Act to improve the cyber security of connected devices. Manufacturers, importers and distributors of devices covered by the Act should familiarise themselves with the details to ensure compliance.

Why are these elements important?

Passwords

Universal default passwords on devices have long been recognised as one of the core vulnerabilities in consumer-connected devices. Unsafe passwords make the device and potentially the associated network susceptible to being breached.

Security issue reporting

Consumers are often the first to encounter security issues. Ensuring consumers know how to communicate these efficiently to the relevant manufacturer, importer, or distributor allows for early detection and remediation before the vulnerability can be exploited.

Security updates

Knowing the duration of security support allows consumers to assess a product's longevity and security posture, so they can make informed decisions when purchasing IoT devices. By clearly stating the period of update availability, this mandate helps reduce the number of devices left unprotected and susceptible to being compromised.

Going above and beyond

While the PSTI Act currently incorporates the first three principles of the ETSI EN 303 645 standard, there will likely be future expansions to encompass the standard's remaining nine principles. These include:

  • Secure data storage
  • Secure communication
  • Minimising attack surfaces
  • Ensuring software integrity
  • Protecting personal data
  • Device resilience
  • System telemetry monitoring
  • Simplified device maintenance
  • Data input validation

Manufacturers, importers and distributors are encouraged to go above and beyond and assess their compliance readiness for these forthcoming requirements. Furthermore, the ETSI EN 303 645 is globally recognised as the IoT Security Standard; adhering to all 12 core principles will improve the security posture of connected products.

Compliance penalties

Non-compliance with the PSTI Act carries severe financial implications, with penalties reaching up to 4% of global turnover or £10 million. The legislation also empowers authorities to issue directives for corrective actions, halt notices, recall notices for non-compliant devices sold post the date of enforcement, and to prohibit the sale or distribution of non-compliant products until issues are rectified.

For you

Be part of something bigger, join BCS, The Chartered Institute for IT.

Consumer impact

The PSTI is designed to improve the security of consumer-connected products. From 29th April 2024, when the requirements come into full effect, manufacturers, importers and distributors must ensure their products comply before they can be offered for sale in the UK market.

The Act has no retrospective effect on consumer-connected products sold before this date, but it would be sensible for consumers to ensure that any previously purchased connected devices have secure and unique passwords assigned. Most devices will allow the owner to set a new device password. Similarly, it is essential to know if currently owned connected products are still receiving updates to address any identified security vulnerabilities and whether these are applied automatically or require manual intervention. The relevant manufacturer, importer or distributor should be able to provide appropriate guidance on these topics.

Limitations

The PSTI is undoubtedly a step in the right direction of improving the security landscape of consumer-connected devices. Whilst it is expected that the other nine ETSI EN 303 645 principles will be incorporated into UK legislation later, it highlights the main limitations within the current PSTI compared to globally accepted IoT security standards. One of these additional nine principles is ‘simplified device maintenance’; the consequence of this not being within the initial PSTI is that some users may find it challenging to check the security status of their device.

Summary

The PSTI introduces critical measures to safeguard connectable consumer products against cyber threats. Whilst the Act begins to align UK legislation with ETSI EN 303 645, it is essential to understand that these measures are part of a broader set of requirements to ensure product security, and the legislation gives the Secretary of State powers to specify and amend these requirements.

About the author

James Harding is passionate about IoT and is a Technical CSM for Green Custard, an AWS Advanced Tier Partner and IoT Specialist Consultancy. He works with a broad selection of clients, helping them and their end consumers benefit from IoT and IIoT.