Navigating the new UK IoT legislation | BCS – BCS

3 minutes, 4 seconds Read

The Product Security and Telecommunications Act 2022 (PSTI) marks a pivotal advancement in UK Internet of Things (IoT) legislation. As you read on, we’ll focus on enhancing the security of connectable consumer products, commonly called IoT or smart devices.

The PSTI Act received royal assent in December 2022, following which the government published a complete draft in April 2023. The regulations were signed into UK law on the 14th of September 2023.

To enable affected manufacturers, importers and distributors time to comply with the new Act, a 12 month grace period was allowed before the regulations were enforced — a grace period which lapses in April 2024, with the legislation enforced from the 29th of April 2024.

The PSTI Act is primarily concerned with consumer-connectable products, defined as devices capable of internet or network connections for digital data transmission and reception. Although the main focus is on consumer products, specific business-to-business connected devices also fall under this legislation. Similarly, a small subtype of consumer-connected devices are exempt from the Act to prevent the occurrence of double regulation. To ensure compliance, the connectable product ecosystem stakeholders must familiarise themselves with and comply with the Act.

Key requirements of PSTI

The legislation introduces three fundamental cybersecurity measures aligned with the first three requirements of the ETSI EN 303 645 standard, recognised globally as the IoT Security Standard. These three requirements are:

  • Passwords: mandates unique passwords per device or allows user-defined passwords; there are no universal default passwords
  • Security issue reporting: mandates manufacturers to provide explicit instructions to consumers on when and how to report product security concerns
  • Security updates: mandates manufacturers to disclose the minimum period for security updates availability

Additionally, the Act mandates record keeping of compliance investigations, underscoring the importance of documentation in maintaining security standards.

Further detailed requirements are also outlined in the Act to improve the cyber security of connected devices. Manufacturers, importers and distributors of devices covered by the Act should familiarise themselves with the details to ensure compliance.

Why are these elements important?

Passwords

Universal default passwords on devices have long been recognised as one of the core vulnerabilities in consumer-connected devices. Unsafe passwords make the device and potentially the associated network susceptible to being breached.

Security issue reporting

Consumers are often the first to encounter security issues. Ensuring consumers know how to communicate these efficiently to the relevant manufacturer, importer, or distributor allows for early detection and remediation before the vulnerability can be exploited.

Security updates

Knowing the duration of security support allows consumers to assess a product’s longevity and security posture, so they can make informed decisions when purchasing IoT devices. By clearly stating the period of update availability, this mandate helps reduce the number of devices left unprotected and susceptible to being compromised.

Going above and beyond

While the PSTI Act currently incorporates the first three principles of the ETSI EN 303 645 standard, there will likely be future expansions to encompass the standard’s remaining nine principles. These include:

  • Secure data storage
  • Secure communication
  • Minimising attack surfaces
  • Ensuring software integrity
  • Protecting personal data
  • Device resilience
  • System telemetry monitoring
  • Simplified device maintenance
  • Data input validation

Manufacturers, importers and distributors are encouraged to go above and beyond and assess their compliance readiness for these forthcoming requirements. Furthermore, the ETSI EN 303 645 is globally recognised as the IoT Security Standard; adhering to all 12 core principles will improve the security posture of connected products.

Compliance penalties

Non-compliance with the PSTI Act carries severe financial implications, with penalties reaching up to 4% of global turnover or £10 million. The legislation also empowers authorities to issue directives for corrective actions, halt notices, recall notices for non-compliant devices sold post the date of enforcement, and to prohibit the sale or distribution of non-compliant products until issues are rectified.

This post was originally published on the 3rd party site mentioned in the title of this this site

Similar Posts