From 29 April 2024 the UK’s PSTI Act 2022, along with the Security Requirements for Relevant Connectable Products Regulations 2023, will start shaping how consumer connectable products are secured.
The PSTI bill became an Act of Parliament after achieving Royal Assent in December 2022. Its detailed regulations were established in September 2023 and aim to improve the security standards of smart products. This is a pivotal moment for manufacturers, importers, and distributors, imposing new compliance measures to safeguard against cyber threats.
Implications for manufacturers and vendors
This regulatory overhaul extends its reach to the core economic actors in the product lifecycle; manufacturers, importers, and distributors of smart products. The Act delineates their responsibilities, emphasising the critical role of authorised representatives in ensuring compliance for overseas manufacturers.
Obligations
The Act clarifies which products fall under this new regulatory regime, categorising them based on their connectivity capabilities while excluding certain products. Entities must navigate these definitions to ascertain their compliance obligations.
The regulations lay down explicit security mandates, from unique product passwords to transparent reporting mechanisms for security issues, alongside clear directives on security update commitments. These requirements are the backbone of the regulatory framework, ensuring products are fortified against cyber vulnerabilities.
The UK's PSTI Act and its 2023 Regulations introduce comprehensive security requirements for connectable consumer products, centred on four key principles designed to significantly raise the cybersecurity bar. These principles are crafted not only to protect consumers but also to ensure that manufacturers, importers, and distributors embed cybersecurity into the DNA of their products. Here’s a detailed exploration of each principle:
Passwords …must be unique per product, or capable of being defined by the user of the product
This principle mandates that products must not come with any universal default passwords, nor should they possess easily guessable or resettable credentials. Each product must either have a unique password or allow the user to set a secure password upon initial setup. This measure directly addresses the common security vulnerability where attackers exploit default or weak passwords to gain unauthorised access.
Additionally, any unique passwords generated for products must avoid simplicity, such as incremental counters or information easily linked to the device, unless encrypted or hashed using industry-recognised secure methods.
Defined length of product support
Manufacturers are required to clearly communicate the minimum period during which security updates and support will be provided for their products. This includes publishing an end date for support, ensuring consumers are informed about the lifespan of the product's security maintenance.
This transparency allows users to make informed decisions regarding the products they choose to purchase and use, understanding the duration of security support and the implications for the product's lifecycle.
Vulnerability disclosure policy
The regulations stipulate that manufacturers must establish a clear and accessible policy for reporting security vulnerabilities. This includes providing detailed information on how consumers or researchers can report potential security issues, along with the expected timelines for acknowledgment and updates on the issue's resolution. Such policies are crucial for a collaborative security posture, encouraging responsible vulnerability disclosure and ensuring that manufacturers can promptly address and mitigate risks.
Mandated compliance statement
A critical component of the new regime is the requirement for a compliance statement to accompany every connectable product. This statement must detail adherence to the specified security requirements, including the measures taken to comply with the principles outlined above. Importers and distributors are also held accountable, with a duty to ensure that no product is made available on the market without this essential compliance statement.
Furthermore, both manufacturers and importers are obliged to retain a copy of the compliance statement, reinforcing the importance of documentation and accountability in the product supply chain.
These principles represent a strategic framework aimed at enhancing the security of connectable products within the UK. By adhering to these guidelines, stakeholders across the product supply chain can contribute to a safer digital environment for consumers, mitigating the risks associated with cyber threats and vulnerabilities.
The enforcement of the UK's Product Security and Telecommunications Infrastructure (PSTI) Act 2022 and the 2023 Regulations marks a pivotal shift towards stricter oversight of connectable consumer product security. Central to this regime is the role of the Office for Product Safety and Standards (OPSS), which, under an MoU with the Department for Science, Innovation, and Technology (DSIT), is vested with the authority to enforce these new standards starting from 29 April 2024.
The OPSS is not just tasked with ensuring adherence to the regulations but also with imposing penalties on entities that fail to comply. These penalties are not nominal; they are designed to incentivise compliance and reflect the seriousness with which the UK government views the security of connectable products.
In the event of a breach of the PSTI Act or its accompanying regulations, the penalties can be substantial:
These penalties highlight the financial risks of failing to comply with the UK's product security regulations. They serve as a stark reminder of the importance of embedding robust security measures into connectable products and maintaining a proactive compliance posture.
To avoid these penalties, businesses involved in the manufacturing, importing, or distributing of connectable consumer products must take diligent steps to understand and implement the required security measures. Regulatory compliance in cybersecurity is not a checkbox exercise. It demands a proactive, nuanced approach to meet unique operational needs. This includes ensuring that products meet the stipulated security requirements, establishing clear vulnerability disclosure policies, and maintaining comprehensive records of compliance efforts. The PSTI Act and its regulations offer a structured path to securing connectable products, urging businesses to
The OPSS will leverage its existing processes and relationships to enforce the regulations in a robust and risk-based manner, taking appropriate and proportionate action against non-compliant entities. Businesses are encouraged to visit the OPSS website for information on enforcement activities and guidance on compliance best practices.
If a vendor has a product that doesn't or can't comply, should they stop selling it now? This is an important question as it will take time for product levels to run down through the supply chain. It means that returns from retailers could be significant.
The PSTI Act and regulations are a significant step forward in protecting consumers and end users from cyber harm. Anything that enhances product security in the UK is a good thing.
It’s not all about consumer protection though. The benefits to manufacturers and vendors can’t be understated. By adopting a strategic and informed approach to compliance businesses will not only be compliant, but will also be better equipped to deal with the ever evolving cyber threat landscape that connected products present.
You can read the Act here.
The post Advice for manufacturers on the coming PSTI regulation first appeared on Pen Test Partners.