Complying with the (PSTI) Product Security and Telecommunications Infrastructure Act:

Introduction

The government has mandated compliance with the Product Security and Telecommunications Infrastructure Act 2022 (PSTI Act) by 29th April 2024. This legislation is crucial for ensuring the security of consumer connectable products in the UK. But do you know what the law covers and what it requires?

What Does the Legislation Require?

The PSTI Act requires manufacturers, importers, and distributors to meet minimum security standards for consumer connectable products available in the UK. The Act establishes a robust regulatory framework to address non-compliance, aiming to protect consumers from cyber threats.

The Current State of Cybersecurity in Consumer Products

Adoption of cybersecurity requirements within consumer products is alarmingly low, with only 1 in 5 manufacturers embedding basic security measures. Despite this, consumers generally assume these products are secure, leaving them vulnerable to exploitation by hackers.

Scope of the Law

This legislation applies to all consumer Internet of Things (IoT) products, including but not limited to:

  • Connected safety-relevant products like door locks
  • Home automation and alarm systems
  • IoT base stations and hubs
  • Smart home assistants
  • Smartphones
  • Smoke detectors
  • Connected cameras
  • Connected fridges, washers, freezers, and coffee machines

Key Security Features Required by the PSTI Act

Elimination of Universal Default Passwords

Consumer IoT devices must not use universal default passwords. This measure ensures that devices are configured securely, reducing the risk of hacking.

Vulnerability Disclosure Policy

Manufacturers must implement a vulnerability disclosure policy. This policy requires a plan to address software weaknesses effectively, making it more likely that vulnerabilities will be properly managed.

Disclosure of Software Update Support

Manufacturers must disclose how long their IoT devices will receive software updates. This transparency ensures that consumers know the security maintenance period of their devices.

Penalties for Non-Compliance

The PSTI Act includes an enforcement regime with civil and criminal sanctions to prevent insecure products from entering the UK market. Non-compliant companies may face:

  • Enforcement Notices: Compliance notices, stop notices, and recall notices
  • Monetary Penalties: Fines up to the greater of £10 million or 4% of the company’s global revenue
  • Forfeiture: Confiscation of stock from manufacturers, importers, or distributors

Steps to Ensure Compliance

Businesses involved in producing or supplying IoT connected products need to:

  1. Understand the PSTI Act and its requirements.
  2. Implement necessary security measures to comply with the legislation.
  3. Ensure all IoT products meet the outlined security standards by the 29th April 2024 deadline.

How SBD’s Secure Connected Device Accreditation Can Help

Secured by Design’s (SBD) Secure Connected Device accreditation scheme, developed in consultation with the Department for Science, Innovation and Technology (DSIT), offers a pathway to compliance. This scheme assesses products against the ETSI EN 303 645 standard, which goes beyond government legislation to ensure comprehensive security.

Benefits of SBD Accreditation

  • Risk Assessment: Identifies the risk level of IoT devices and provides certification recommendations.
  • Third-Party Testing: Ensures products undergo independent certification.
  • Membership: Enables companies to become SBD members, gaining the Secure Connected Device accreditation.
  • Annual Appraisal: Ensures ongoing compliance with evolving government requirements and cyber threats.

 

The SBD accreditation is the only way for companies to obtain police recognition for their IoT product security in the UK.

Conclusion

Compliance with the PSTI Act is essential for protecting consumers and maintaining the security of IoT products. By understanding the requirements and leveraging SBD’s Secure Connected Device accreditation, businesses can ensure they meet the April 2024 deadline and safeguard their products, reputation, and customers.

Find out more about our RISK MANAGEMENT SERVICES. Or simply contact our friendly team for more information.

Do you need to

✅ Safeguard your Team?
✅ Be ready for Business Disasters?
✅ Improve your Supply Chain?
✅ Improve Inventory Management?
✅ Evaluate your business Risks?
✅ Educate your teams on Risk Management?
 
Contact us today so that we can work with you to create effective solutions that deliver results.
Celebrating 30 years in Loss Prevention