The UK’s landscape for consumer connectable products is undergoing a significant shift with the implementation of the Product Security and Telecommunications Infrastructure (PSTI) Act. This act, coming into effect on April 29, 2024, establishes mandatory cybersecurity requirements for consumer connectable products, commonly referred to as Internet of Things (IoT) devices, offered in the UK market.
This blog serves as a detailed knowledge base for system designers, outlining the key aspects of the PSTI Act and its implications for your design practices.
What is the PSTI Act?
The PSTI Act, enforced by the Office for Product Safety and Standards (OPSS), aims to enhance the cybersecurity posture of consumer connectable products in the UK. It mandates specific security measures for manufacturers, importers, and distributors throughout the supply chain. Non-compliance can lead to substantial financial penalties and reputational damage.
Key Provisions of the PSTI Act
- Enhanced Security Standards: Manufacturers must ensure their products are designed and built with robust security features, adhering to the UK’s Code of Practice for Consumer IoT security, ETSI EN 303 645 standard, and National Cyber Security Centre (NCSC) guidance.
- Ban on Default Passwords: Weak, pre-set passwords like “admin123” are prohibited. Products must come with unique passwords for legal sale in the UK. This applies to new, refurbished, and service-bundled devices like those offered in Managed Print Service contracts.
- Improved Security Vulnerability Reporting: Manufacturers are obligated to establish Vulnerability Disclosure Policies. This requires proactive identification and communication of product security vulnerabilities, alongside mechanisms for third-party reporting of potential risks.
- Transparency in Security Updates: Manufacturers must clearly state the minimum duration for which security updates will be provided for their products. This empowers informed purchasing decisions.
- Statement of Compliance: All marketed products must be accompanied by a formal statement demonstrating adherence to PSTI regulations.
Benefits of the PSTI Act for System Designers
- Clear Cybersecurity Guidelines: The PSTI Act provides a well-defined framework for designing and building secure consumer connectable products. This fosters consistency and reduces ambiguity in the development process.
- Reduced Risk of Security Vulnerabilities: By mandating robust security measures, the PSTI Act helps mitigate the risk of exploitable vulnerabilities in connected devices. This translates to a more secure product ecosystem.
- Enhanced Market Competitiveness: Designing products that comply with the PSTI Act positions you favorably in the UK market, catering to the growing demand for secure and reliable connected devices.
Going Above and Beyond
While the PSTI Act currently incorporates the first three principles of the ETSI EN 303 645 standard, there will likely be future expansions to encompass the standard’s remaining nine principles.
System design engineers and manufacturers are encouraged to go beyond and assess their compliance readiness for these forthcoming requirements. Furthermore, the ETSI EN 303 645 is globally recognized as the IoT Security Standard; adhering to all 12 core principles will improve the security posture of connected products.
Implications for System Design Engineers and Device Manufacturers
The PSTI Act signifies a paradigm shift for system design engineers and device manufacturers in the UK. While adhering to the regulations is crucial, it’s equally important to cultivate a culture of security that prioritizes both consumer protection and long-term benefits for manufacturers.
The Price of Non-Compliance
Failing to comply with the PSTI Act exposes manufacturers to significant risks:
- Financial Penalties: Substantial monetary fines can be imposed, impacting profitability and cash flow.
- Reputational Damage: Public exposure of security vulnerabilities or non-compliance can severely damage brand reputation and consumer trust. In today’s competitive market, regaining trust can be a difficult and costly endeavor.
- Loss of Market Share: Consumers are increasingly security-conscious. Products that lack robust security features or fail to meet PSTI compliance might be shunned by security-savvy customers.
Embracing a Culture of Security
True compliance goes beyond ticking regulatory boxes. It involves a fundamental shift towards designing and building security into the very fabric of connected products. Here’s what this means for system design engineers and device manufacturers:
- Security-Centric Design: Security considerations need to be integrated throughout the entire design process, from initial concept to production. This includes threat modeling, secure coding practices, and vulnerability assessments.
- Robust Security Architecture: Implementing robust security features like strong encryption, secure authentication methods, and regular software updates is crucial.
- Supply Chain Collaboration: Manufacturers must collaborate closely with all stakeholders in the supply chain, ensuring that all partners prioritize security and adhere to PSTI requirements.
- Transparency and Communication: Open communication with consumers about security practices and potential vulnerabilities builds trust and fosters a culture of responsible development.
The PSTI Act presents an opportunity for system design engineers and device manufacturers to establish themselves as leaders in secure and reliable IoT products. By proactively adopting a culture of security, they can ensure compliance, gain a competitive edge, and ultimately build trust with consumers in the UK market.
Reference:
https://www.legislation.gov.uk/uksi/2023/1007/contents/made
https://www.kudelski-iot.com/insights/navigating-the-new-psti-act-a-guide-for-device-manufacturers
