{{item.videoDuration}}
{{item.title}}
{{item.text}}
{{item.videoDuration}}
{{item.title}}
{{item.text}}
The UK’s Product Security and Telecommunication Infrastructure Bill (PSTI Act) received Royal Assent and was passed on 7 December 2022.*1
In this article, we look back over the UK’s product security initiatives to date, explain what new requirements are introduced by the PSTI Act and highlight the key dates manufacturers need to be aware of.
Background to the UK’s PSTI legislation
The UK government formulated product security guidelines, which were then standardised and consolidated into the PSTI Act.
In response to the Mirai distributed denial-of-service (DDoS) malware, which had a significant impact on IoT adoption, the UK government created its ‘Code of Practice for Consumer IoT Security’*2 in 2018. The code of practice is a set of guidelines describing the security measures manufacturers of consumer-oriented connected products are required to implement. Following a review of a wide range of security literature*3, the code of practice was compiled into a set of 13 guidelines.
The UK government issued the code of practice and promoted its adoption. However, if manufacturers were not securing products adequately, it was decided that legislation would be required.
To further promote adoption of the code of practice, it was translated into multiple languages, including Japanese, French, German, Korean and Chinese,*4 and feedback has been gathered from many regions.
In 2019, the European Telecommunications Standards Institute (ETSI) issued TS 103 645, which included the 13 guidelines, and in 2020, issued the EN 303 645 European standards.*5 In essence, the code of practice became the European standard.
In October 2020, the PSTI draft bill was submitted, and on the factsheet*6 issued in November 2021, the first three of the 13 guidelines were indicated as product security requirements.
Mandatory security measures required by the PSTI Act
There will not be a grace period/transitional period before the full set of PSTI requirements come into effect.
At the time of writing, the requirements, date of enactment and other details are still being decided by the Minister of State for Digital, Culture, Media and Sport (DCMS).
The PSTI Act will also require manufacturers to declare that their products comply with the PSTI requirements, before launching products in the UK market. The penalty for violation will be 10 million pounds or 4% of the manufacturer’s total worldwide sales for the most recent financial year (whichever is greater). This is like the European Cyber Resilience Act, which we introduced the other day.
Security measures
According to the factsheet issued in November 2021 by DCMS, it is expected that the security requirements in the PSTI Act would include the three measures written below. One is a requirement about the security functions of the products, and the other two are requirements about the product security support offered by the manufacturers.
1. Ban on default passwords upon shipment
This requirement concerns the authentication passwords used to access the product. Manufacturers are required to either set unique passwords specific to each device or configure them to be usable only after users have set a strong password themselves. Although the wording is different, this requirement is similar to Californian state legislation and the Japanese Ministry of Internal Affairs and Communications’ technical compliance requirements.
2. Vulnerability response system
This requirement relates to manufacturers’ vulnerability response systems. Manufacturers are required to make a contact point available for the reporting of vulnerability information from external researchers, security researchers, etc., and to receive feedback from the market. They must state their vulnerability disclosure policy (including response times from receipt of vulnerability information to problem resolution, and report updates, etc.). In effect, a PSIRT (Product Security Incident Response Team) must be implemented.
3. Product security support period
This requirement relates to a manufacturer’s product security support policy. Manufacturers are required to state the minimum length of time for which their products will receive security support (guidance in the case of security problems and product updates), and the end of support date. Most manufacturers typically stipulate a one-year warranty period and ten-year maintenance period, but the requirement to specify a security maintenance period is new.
Manufacturers are not expected to provide security maintenance free of charge and they are permitted to charge a fee. However, unlike stocking maintenance parts, they must prepare a software maintenance system to address vulnerability issues post-shipment to enable product updates.
Applicable products
The applicable products are described as ‘internet-connectable’ or ‘network-connectable’ products, but the Act does not mention them in specific detail. According to the above-mentioned factsheet, the products covered by the Act include, but are not limited to the following:
- Smartphones
- Connected cameras, TVs and speakers
- Connected children’s toys and baby monitors
- Connected safety-relevant products, such as smoke detectors and door locks
- Internet of Things base stations and hubs to which multiple devices connect
- Wearable connected fitness trackers
- Outdoor leisure products, such as handheld connected GPS devices that are not wearables
- Connected home automation and alarm systems
- Connected appliances, such as washing machines and fridges
- Smart home assistants
Products not covered by the Act are devices and equipment for which security requirements have already been defined, such as smart meters, charging points for electric vehicles, medical devices and equipment, and industrial control system devices.
Applicable parties
The Act applies to the following:
- Manufacturers in the UK, those indicating they are manufacturers by attaching product trademarks, etc. and those modifying products to ensure compliance with UK market regulation
- Representatives of manufacturers in the UK and importers of products
- Distributors of products in the UK, including those marketing products online
The timing of the enforcement of the PSTI Act is left to the Secretary of State, including the decision whether to include a transitional period. The factsheet states that the government will ‘provide at least 12 months’ notice’ to enable relevant parties to adjust their business practices before the legislative framework fully comes into force. The Act will be enforced in December 2023 at the earliest, and the preparatory time to develop systems to introduce the required security measures is rapidly running out.
Conclusion
The recently established PSTI Act has some uncertainties, such as specific security measures. However, based on the information available during the consideration phase, it can be described as a law that requires manufacturers to improve product security.
In fact, the Act does not demand a great deal regarding the robustness of product security; care has been taken to not introduce overly burdensome product design specifications. On the other hand, the Act does require manufacturers to establish maintenance systems for security measures after product shipment, including the setting up of contact points to receive vulnerability information, to provide security updates and manage the record of addressed vulnerabilities. The PSTI Act clarifies where the responsibility lies for the security quality of connected devices and is expected to be clarified further by the addition of more security requirements in the future.
Besides the PSTI Act, other product security regulations and standards are being created. Manufacturers need to monitor the regulatory landscape in the countries and regions where they are considering doing business and ensure the security of their products meets or exceeds the requirements of the latest regulations and standards.
{{filterContent.facetedTitle}}
{{contentList.dataService.numberHits}} {{contentList.dataService.numberHits == 1 ? 'result' : 'results'}}
{{contentList.loadingText}}
{{contentList.loadingText}}
