The proliferation of network-connected products and a competitive industry has flooded the market with unsecure smart devices. Not only does this put the owners at risk, but it also enables the creation of botnets that can be used for malicious activities.
There have been numerous examples of the damage that unsecure smart devices can do. In 2016, more than 2,000 routers and smart cameras were co-opted into the Mirai botnet to launch DDoS attacks. The same year, hackers shut down the smart heating systems in apartments in Finland. Kaspersky recently reported there had been 1.5 billion attacks against internet of things (IoT) devices in the first half of 2021; more than double the number from the previous six months.
By 2020, the average UK household had nine network-connected devices, ranging from smartphones and internet-connected doorbells to smart speakers and tablets. Unfortunately, these devices can sometimes be poorly secured, potentially leaving their owners vulnerable to attack. A recent study by the Internet of Things Security Foundation revealed that, as of last year, only 27% of manufacturers have systems for disclosing security vulnerabilities.
Legislation mandating adequate cyber security measures has been a long time coming. It had been hoped that market forces would drive improvements in that area, but that has evidently not been the case. “The average consumer does not have an understanding of selecting products based on improved cyber security,” says Ken Munro, partner and founder of Pen Test Partners. “There was a market failure there, which the PSTI Act is partly designed to fix.”
To counter the proliferation of unsecure devices, as well as making provisions regarding the country’s telecommunications infrastructure, the UK government has enacted the Product Security and Telecommunications Infrastructure (PSTI) Act 2022. As the name implies, the act is split into two parts, with the first part focused on device security. Accompanying this is the Security Requirements for Relevant Connectable Products Regulations 2023.
“The new regime will be the first anywhere in the world to require minimum cyber security requirements before consumer connectable products are made available for sale to UK customers,” said a spokesperson for the Department for Science, Innovation, and Technology.
“From next April, a raft of transformative new measures will be introduced, including the banning of universal default and easily guessable passwords, a public point of contact to report vulnerabilities on devices directly to manufacturers, and a requirement to provide information about the minimum length of time for a product’s security update lifecycle.”
PSTI Act
The PSTI Act mandates that organisations responsible for smart devices in the UK should have, at the very least, the following provisions in place:
- No default passwords on their devices.
- Vulnerability disclosure policy.
- Transparency about the duration for which the product will receive security updates.
The PSTI Act goes to great lengths to incorporate anything that is connected to a network or the internet. This includes, among other things; smart phones, wearable products, IoT devices, children’s toys, internet routers, smart appliances and home assistants.
As part of the PSTI Act, the Secretary of States now has the power to enforce security requirements to devices that can be connected to a network or the internet. The first clause of the PSTI Act reads:
Power to specify security requirements
- The Secretary of State may by regulations specify requirements (“security requirements”) for the purpose of protecting or enhancing the security of:
- relevant connectable products made available to consumers in the United Kingdom;
- users of such of products
- A security requirement is a requirement that:
- relates to relevant connectable products or relevant connectable products of a specified description, and
- applies to relevant persons or relevant persons of a specified description.
- The Secretary of State may by regulations specify requirements (“security requirements”) for the purpose of protecting or enhancing the security of:
It is also worth noting that “relevant persons” does not just relate to manufacturers of smart products. Clause 7 states that importers and distributors are also responsible for ensuring that the smart technologies they handle are appropriately secure. Therefore, organisations cannot seek to bypass manufacturing restrictions by importing cheaper products from outside the UK borders.
Relevant persons
2. “Relevant person”, in relation to a relevant connectable product, mean any of the following:
- a manufacturer of the product;
- an importer of the product;
- a distributor of the product.
The core power that the Secretary of States has in the PSTI Act is their ability to issue compliance notices to manufacturers, importers and distributors. Cyber security is no longer simply advisory or just good practice, but is legally enforceable.
Power to deem compliance with security requirements
- The Secretary of State may by regulations provide that a relevant person is to be treated as having complied with a security requirement relating to a relevant connectable product if specified conditions are met.
- The conditions that may be specified under subsection (1) include, among other things, the following:
- that the product conforms to a specified standard;
- that the relevant person otherwise meets any requirements imposed by a specified standard;
And the standards that may be specified include standards set by a person or body outside the UK.
There is no mention of reconditioned products or the distribution of second-hand products in the legislation. Companies often sell older equipment that is no longer supported by their warranty and use the subsequent income for new equipment or donate it to charities. Likewise; repairing, reconditioning and redistributing is cost-efficient, while minimising e-waste and potentially toxic materials going into landfill.
However, recycling older devices can potentially extend a product’s life beyond its intended span and its associated support from the manufacturer, such as security updates, making it potentially vulnerable to attack. According to a spokesperson for the Department for Science, Innovation, and Technology: “Though second-hand products won’t be covered by the legislation, the law will cover products that are refurbished or reconditioned and made available for sale as new.”
It is important to be aware that compliance notices do not just apply to the actual product, but also to the organisations that are manufacturing, importing or distributing smart devices. This is similar to White House Memorandum M-22-18, which required all organisations supplying software to the US government to be secure.
The PSTI Act also gives the Secretary of State to issue Stop Notices and Recall Notices. Any organisations covered by this act can be forced to either stop selling specified products, or be forced to recall specified products. This is similar to how cars can be recalled.
The PSTI Act was given Royal Assent in December 2022 and has a grace period of 12 months, allowing organisations to ensure they have the necessary systems and policies in place, before the legislation comes fully into force in December 2023.
When the grace period comes to an end, organisations that fail to comply with the PSTI Act will be held accountable. The financial penalties include fines of up to £10m or 4% of the person’s worldwide revenue, whichever is higher.
There has been concern that the PSTI Act will stifle innovation by adding an extra financial burden to new startups and emerging technologies. However, by mandating minimum security requirements, it will encourage innovation in security, while mitigating a prevalent weakness in the UK’s security posture.
“What it will do is totally remove some of the cheap and very insecure products in the market,” says Munro. “By removing competitors that compete on price and not on security, it drives the market in a more secure way. It is very difficult for a large provider who uses good security, which cost money to do well, if they’re being undercut by a brand that doesn’t do cyber security and are half the price.”
The PSTI is indicative of a fundamental shift in how governments approach cyber security. In 2019, the EU’s Cybersecurity Act established a European cyber security certification framework for ICT products and services, as well as giving the EU Agency for Network and Information Security a permanent mandate. A year later, the California Senate Bill 327 came into force, protecting user data on devices sold in California.
“To my mind, the EU cyber security bill is more prescriptive; there’s more detail behind it in terms of the standards required,” he says. “It’s pushing manufacturers in the direction towards a standard called ETSI EN 303 645, which is a good standard for IoT cyber security.”
More than anything else, the PSTI Act is creates a regulatory framework allowing the secretary of state to legally enforce security requirements that are issued through supplementary material, rather than imposing the requirements in the legislation itself. This ensures that the PSTI act can be easily updated to keep pace with modern advances in security technologies.
“Regulation and legislation are great, but they’re useless if no one is prepared to enforce them,” says Munro. “We have to be prepared to take action, otherwise, the PSTI Act will be a damp squib.”