The cyber risk landscape is rapidly changing as more devices become connected through the Internet of Things. In 2023, there were over 16 billion connected devices worldwide with the figure expected to grow exponentially every year. This trend emphasizes the significance of the PSTI BIll and IoT security measures.
As this trend continues, governments worldwide are reinforcing their commitment to protect end users’ privacy and safety by introducing a raft of cybersecurity frameworks and measures.
One such initiative is the UK’s Product Security and Telecommunications Infrastructure (PSTI) Bill.
The Bill was first introduced to Parliament in 2021, with the UK Department for Science, Innovation and Technology announcing it will come into force on April 29, 2024.
But what is the PSTI Bill and how does it change IoT security? Who will it apply to and how will it potentially affect your business?
We provide answers to these questions and more.
What is the PSTI Bill?
The Bill consists of two major parts:
- Part 1 – Product Security Measures
- Contains a regulatory framework to cope with the rapidly changing landscape of cyber threats
- Part 2 – Telecommunication Infrastructure Measures
- Outlines the UK Government’s ambition of getting faster internet and measures for service providers to implement this ambition
For this article, we’ll exclusively focus on Part 1 – Product Security Measures.
Briefly speaking, Part 1 of the Bill sets out a series of clauses over four chapters.
- Chapter 1: Outlines essential security requirements and products that they apply to
- Chapter 2: Points out key actors have to meet these security requirements
- In this case, “actors” extends to manufacturers, importers, and distributors of connected devices
- Chapter 3: Highlights enforcement actions in cases of non-compliance and relevant departments that will be responsible for carrying out these enforcements
- Chapter 4: Contains supplemental information and annexes
While the PSTI Bill may come as a surprise to some, it is in line with current and upcoming IoT cybersecurity frameworks in the global legislative pipeline.
Some of these include the EU’s Cyber Resilience Act, NIS2 in the United States, the Cybersecurity Act in Singapore, and the Canadian Digital Charter Implementation Act, amongst others.
Why the Need for a PSTI Bill?
Recent research by the UK government has uncovered that only 1 in 5 manufacturers will embed basic security requirements in connectable products. Meaning that almost 80 percent of all connected consumer products (i.e., smart watches, phones, TVs, fridges, and more) are left exposed to malicious attacks by sticking to default passwords, including examples such as the following:
- Password
- Admin
- 1234
- Setup
- router
- user
Before the introduction of the PSTI Bill, there was an unreasonable expectation for ordinary users to shoulder the burden of IoT security. As such, there is also no onus on service providers to prevent privacy and personal data breaches.
However, with mass IoT deployments ramping up and becoming the norm, this Bill could not have come at a better time.
What Are the Requirements of the PSTI?
The three security foundations of PSTI are as follows:
- No more reliance on factory default passwords as passwords should be unique to each device;
- Products must have a clear vulnerability disclosure policy for flaw or bug reporting;
- Transparency surrounding the length of time for which the product will receive vital security updates
These clauses cover both “internet-connectable products” and “network-connectable products” which can send and receive data without being connected to the internet.
Why Do These Sound like the Code of Practice & ETSI EN 303 645?
Even when the first draft of GDPR was published in 2012, IoT product security discussions were already underway in the UK.
These discussions resulted in both the EU and UK publishing a Code of Practice (“Code”) in 2018. This Code outlined 13 provisions for manufacturers to ensure greater cybersecurity of connected products.
Consequently, this Code also influenced standards produced by the European Telecommunication Standards Institute (ETSI): ETSI EN 303 645 Cybersecurity Standard for Consumer IoT Devices.
When published in 2021, ETSI EN 303 645 was the first global cybersecurity standard for consumer IoT products. It presents a series of 68 mandatory and recommended provisions to establish a good global security baseline for all consumer-related IoT cybersecurity.
Who Will the PSTI Bill Affect?
As mentioned earlier, according to Clause 7 of Part 1 of the PSTI Bill, three entities face compliance obligations.
These include manufacturers, importers, and distributors of relevant connectable products.
Clauses 8 – 24 of the Bill set out key duties for these entities including:
- Being aware and compliant with any regulated security requirements;
- Providing certificates of compliance;
- Investigating and resolving compliance failures;
- Communicating details of failures and remedies to consumers and authorities;
- Maintaining records of failures and subsequent investigations
Generally, importers and distributors carry the same responsibilities as manufacturers with some additional duties. If it is discovered that the product contains vulnerabilities, these actors are also responsible for preventing it from being sold in the UK. In addition, importers and/or distributors must contact manufacturers based outside the UK if they fail to comply with any of the clauses.
Noncompliance could result in a variety of penalties as determined by The Department for Science, Information and Technology. Each penalty will correspond to the degree of harm caused to the end user.
Principal enforcement actions consist of stop and recall notices and/or public announcements of compliance failures by the offending party. Further noncompliance may also result in significant financial penalties, including potential maximum fines of £10 million, or 4% of the business’ global revenue.
How Can You Improve Your IoT Security?
Keep ahead of regulatory changes by making IoT security and data privacy a priority.
These regulations call for tangible change in governance and decision-making within businesses that extend beyond the executive leadership team. Such measures can be accomplished by taking a more proactive approach to your security practices, allowing you to anticipate challenges and minimize operational disruptions.
Organizations should also establish and enforce clear security policies and strategies to encourage the development of an organizational culture that values cybersecurity. As such, IT teams cannot stay isolated any longer and should continuously work together with management to enact necessary changes.
Rather than viewing the raft of legislation as a burden, you could also regard them as opportunities to improve customer safety and prioritize network security.
Beyond the UK, the international regulatory landscape is continuously adapting to maintain effective legislation in the face of rapid technological advancement.
As cybersecurity and data privacy regulations become more robust, take the opportunity to instill a culture of security in your organization today.