PSTI ACT COMES INTO FORCE
On 29 April this year, the Product Security and Telecommunications Infrastructure (PSTI) Act was enacted in the United Kingdom. Manufacturers of consumer-grade IoT products sold in the UK are now mandated to stop using easily guessable default passwords and implement a vulnerability disclosure policy. The Act stipulates that each product must come with a unique, secure password that is not based on incremental counters, publicly available information, or unique product identifiers. The password must not be easily guessable and all users must have the ability to change any password. The UK Department for Science, Innovation and Technology (DIST) explained:
“The manufacturer must provide information on how to report to them security issues about their product. The manufacturer must also provide information on the timescales within which an acknowledgement of the receipt of the report and status updates until the resolution of the reported security issues can be expected by the person making the report. This information should be made available without prior request in English, free of charge. It should also be accessible, clear and transparent.”
PSTI ACT SECURITY REQUIREMENTS
According to the DIST, the PSTI has predetermined security requirements or actions that relevant businesses in the IoT device supply chain must take or specify criteria that an IoT product must meet to address security issues or eliminate potential vulnerabilities. These requirements fall into three categories – passwords, reporting and updates.
PASSWORDS
Passwords must be unique for each product or capable of being defined by the user.
The PSTI also stipulates that unique passwords must not be based on incremental counters, publicly available information, or unique product identifiers, such as a serial number, unless encryption or keyed hashing algorithms accepted as good industry practice are used. Passwords must also not be easily guessable.
INFORMATION ON HOW TO REPORT SECURITY ISSUES
Manufacturers must provide clear information on how to report security issues concerning their products. They must also provide details on the expected timeframes for acknowledging receipt of a report and giving status updates until the issue is resolved. This information should be accessible without prior request, free of charge, in English, and presented clearly and transparently.
INFORMATION ON MINIMUM SECURITY UPDATE PERIODS
Manufacturers must publish and provide information on the minimum security update periods, including the length of time security updates will be available and the end date.
Again, this information should be freely accessible in English without prior request and comprehendible to users with little or no technical knowledge.
WHICH DEVICES DOES THE PSTI ACT APPLY TO?
The PSTI Act covers a wide range of internet- and network-connectable products, including "smart" IoT devices such as:
· TVs, streaming devices, and speakers
· game consoles, smartphones, and tablets
· base stations and hubs
· home automation and alarm systems
· wearables like smartwatches and fitness trackers
· home appliances such as thermostats, light bulbs, fridges, and home assistants
· security devices like doorbells, security cameras, and baby monitors
· children's toys
NCSC AND PSTI ACT
The UK National Cyber Security Centre (NCSC) has created a 'point of sale' (POS) leaflet for retailers to distribute to their customers in-store. This leaflet explains how the PSTI regulation impacts consumers and highlights the importance of selecting smart products that safeguard against common cyberattacks. Retailers are encouraged to download and print the POS leaflet from the link provided below for free distribution.
The NCSC has collaborated with major retailers to produce co-branded versions of these materials. Retailers interested in adding their own organization's name or logo to the leaflet should contact the NCSC directly at citizensteam@ncsc.gov.uk.
ENFORCING THE PSTI ACT
The Office for Product Safety and Standards (OPSS) will be responsible for enforcing the PSTI Act as of 29 April. As part of the Department for Business and Trade, OPSS already enforces the UK’s existing product safety regulations. OPSS will leverage its established processes and relationships to enforce the UK product security regime effectively, using a robust and risk-based approach. It will take appropriate and proportionate action against businesses that fail to comply with their obligations. Non-compliance with the Act constitutes a criminal offence, with penalties of up to £10 million or 4% of qualifying worldwide revenue, whichever is higher. Rocio Concha, Director of Policy and Advocacy at UK’s consumer champion Which?, said:
“This legislation must now be backed by strong enforcement, including against online marketplaces that are flooded with insecure products, to prevent consumers purchasing internet-connected devices that threaten their security and may leave them needing to replace otherwise usable products.”
With ‘Innovation through ‘Collaboration’ at the heart of Cyber London, we believe it is essential to focus on the technologies that will be in most demand over the next few years. With predictions that there will be more than 30 billion IoT and smart devices on the planet by 2030, these products and their users deserve the best security and protection against cybercrime. We also are aware that SMEs are particularly vulnerable when it comes to IoT adoption. Izak Oosthuizen, Founder and CEO of IT Support and Cybersecurity company, Zhero, said:
“People are spellbound by the ‘magic’ of connectivity and big data associated with IoT. They forget security issues such as lack of visibility, limited security integration, poor testing, unpatched vulnerabilities, using weak passwords, or worse still default passwords, not to mention the dangers of processing huge amounts of unsecured data from multiple endpoints.”
We also asked Raj Rajarajan, a Professor of Security Engineering and the Director of the Multidisciplinary Centre of Cybersecurity for Society at City, University of London, for his view on the current threats and challenges facing IoT. This is what he said:
“I think it goes back to the basics of adding usernames and passwords and configuring these devices correctly. Most of these devices are plug-and-play which means that you don’t have a lot of control over the way that you can customize them. I still think the fundamental issue with IoT devices is using default passwords. Nobody seems to be taking this seriously and most of the decent attacks have involved using user passwords which are factory settings. These default settings are very easy to figure out.”
Both Izak and Raj make it clear that IoT devices are exceptionally vulnerable endpoints and easy pickings for hackers. This is where the UK’s landmark PSTI will be a saving grace, both for SMEs and for individuals. Cyber London seeks to position itself as a champion for innovation and cyber security, working with partners to develop a healthy ecosystem that maintains London’s position as a global leader in cyber. Please reach out to us to find out more. Better still, become a member.
Comments