How Does the PSTI Act Affect IoT?

Eseye

IoT Hardware and Connectivity Specialists

LinkedIn

Whether intended for consumer or business use, IoT devices need to be mass produced, easy to set up, and able to work in a wide variety of environments and configurations. As a result, cybersecurity in IoT is often seen as a compromise in terms of cost, productivity, or convenience – a compromise not many manufacturers or enterprises are willing to take.

But while this has been the status quo for the early years of IoT adoption, regulators are catching on and new legislation coming into force in 2024 will force participants in the IoT ecosystem to take security seriously.

The sorry state of cybersecurity in IoT

According to the IoT Security Foundation’s (IoTSF’s) “State of Vulnerability Disclosure Policy (VDP) Usage in Global Consumer IoT in 2023” report released in November 2023 and the sixth in a series, over 76% of device manufacturers do not have a vulnerability disclosure policy. In fact, of the 121 new device manufacturers added to the 2023 cohort, over 95% do not have such a policy.

Another recent survey, from Viakoo, found that 50% of companies have experienced an IoT cyber incident in the last 12 months, of which 44% were serious, and 22% threatened business operations.

The message coming through loud and clear is that not enough is being done by manufacturers or those companies deploying IoT projects with regards to security – an attitude the world’s regulators are no longer tolerating.  

What is the Product Security and Telecommunications Infrastructure (PSTI) Act?

The Product Security and Telecommunications Infrastructure (PSTI) Act, introduced in 2022, is a pivotal legislative framework designed to address the evolving landscape of digital security in IoT ecosystems in the UK. It comes into power April 29, 2024 and covers two important parts of legislation:

• Part 1 of the Bill will require manufacturers, importers and distributors to comply with new security requirements relating to consumer connectable products.

• Part 2 of the Bill will create an enforcement regime with civil and criminal sanctions aimed at preventing insecure products from being made available on the UK market.

Make no mistake, although there are references to ‘consumer IoT products’, all businesses in the IoT supply chain must ensure they are equipped to tackle potential security vulnerabilities and threats, and make certain their products meet the PSTI requirements.

What are the three requirements that make an IoT product compliant?

Connected devices and IoT products must adhere to three security requirements:

1. A unique password for every product
2. Manufacturers to provide guidance on reporting product security issues
3. Consumers to be made aware of minimum security update periods

More information about each of these can be found on the Gov.UK website.

Together the PSTI Act and PSTI Regulations work together to ensure that consumer-connectable products are more secure against cyber-attacks, protecting privacy and security.

What actions can be taken against companies failing to comply?

The Government’s Office for Product Safety and Standards (OPSS) enforces the UK’s product safety regulations and aims to protect consumers and businesses alike from product-related harm. OPSS is authorized to take “appropriate and proportionate measures” against those that fail to comply with the PSTI Act 2022 and PSTI Regulations 2023.

Why is it important to embed security requirements into consumer IoT products?

Embedding security requirements into consumer IoT products is essential for protecting user privacy, ensuring data integrity, preventing unauthorized access, and maintaining consumer trust in an increasingly interconnected and vulnerable digital landscape.

In both consumer and business environments, this vast web of unsecured cloud-connected IoT and M2M devices significantly increases the risk surface of any organization, because unsecured devices all serve as jumping-off points for hackers, state-sponsored terrorists, and other threat actors to get access to much more sensitive parts of your infrastructure.

The security of IoT products is crucial for ten reasons:

1. Privacy protection

Consumer IoT devices often collect and transmit sensitive personal information. Embedding security measures helps safeguard this data from unauthorized access, protecting user privacy.

2. Data integrity

Security requirements ensure the integrity of the data generated and transmitted by IoT devices. Tampering or unauthorized modifications can be prevented, maintaining the reliability of the information collected.

3. Prevention of unauthorized access

Many IoT devices, such as smart home devices or wearables, are interconnected, creating a potential attack path. Security measures prevent unauthorized access, reducing the risk of unauthorized control or manipulation of devices.

4. Protection against cyberattacks

IoT devices are attractive targets for cybercriminals. Embedding security features helps protect against various cyber threats, including malware, ransomware, and distributed denial-of-service (DDoS) attacks, which could disrupt device functionality or compromise user data.

5. Safety concerns

Some IoT devices, such as those used in healthcare or smart home security systems, may have direct implications for user safety. Ensuring the security of these devices is essential to prevent potential physical harm or unauthorized control. A compromised connected light bulb is a very different threat to an IoT-enabled insulin pump.

6. Consumer trust and confidence

Security breaches can lead to a loss of consumer trust. By embedding robust security measures, manufacturers demonstrate a commitment to protecting their customers, which enhances brand reputation and consumer confidence.

7. Legal and regulatory compliance

Many regions have introduced regulations and standards related to IoT security. Complying with these requirements not only helps avoid legal consequences but also ensures that products meet industry standards for security. In the EU, the Cyber Resilience Act (CRA) is progressing into its final stages, and various cyber security frameworks in the US, such as National Institute of Standards and Technology (NIST), already recommend or mandate various security policies.

8. Long-term viability

As IoT devices become more integrated into daily life, the longevity and success of these products depend on their ability to withstand evolving cybersecurity threats. Embedding security requirements helps future-proof products and ensures ongoing protection.

9. Network security

IoT devices are often connected to networks, and vulnerabilities in one device can potentially compromise the entire network. Implementing security measures in IoT products contributes to overall network security and prevents the spread of threats.

10. Reducing the attack surface

By integrating security features from the design stage, manufacturers can minimize the potential attack surface of the IoT devices. This involves reducing vulnerabilities and making it more challenging for malicious actors to exploit weaknesses.

Is your IoT PSTI-compliant?

Find out how to build cyber security resilience into your IoT products and comply with the PSTI Act and Regulations.

Download whitepaper

Select to view linkedin profile Select to view twitter profile Select to view facebook profile Select to view youtube profile

Eseye

IoT Hardware and Connectivity Specialists

LinkedIn

Eseye brings decades of end-to-end expertise to integrate and optimise IoT connectivity delivering near 100% uptime. From idea to implementation and beyond, we deliver lasting value from IoT. Nobody does IoT better.

In this article

• The sorry state of cybersecurity in IoT
• What is the Product Security and Telecommunications Infrastructure (PSTI) Act?
• What are the three requirements that make an IoT product compliant?
• What actions can be taken against companies failing to comply?
• Why is it important to embed security requirements into consumer IoT products?