Are You Ready for the UK’s New IoT Security Act?

The UK market for connected technologies has been flooded with insecure kits for years. That’s bad news for consumers and businesses, as compromised devices can be used to launch attacks against both, while undermining market confidence in new technology. With the average Brit now accessing more than nine connected devices, the government has belatedly introduced legislation to improve baseline security standards. It came into effect in December 2023.

Although not perfect, the Product Security and Telecommunications Infrastructure (PSTI) Act 2022 promises to be the start of a more rigorous compliance regime for manufacturers, distributors and importers of smart products.

Why Do We Need the PSTI Act?

IoT risk didn’t begin with Mirai, but it was the first major threat to lay bare the vulnerabilities inherent in connected technologies. Threat actors used the eponymous malware to probe for connected IoT devices still using the default username and password they left the factory with. It would then log in to them to remotely hijack the endpoints to build a botnet for DDoS, click fraud, spam campaigns and other threats.

Another common issue in both corporate and consumer-grade IoT kits is vulnerabilities in the firmware itself, which could be exploited by threat actors. A recent study by the IoT Security Foundation (IoTSF) found that just 27% of 332 appraised IoT manufacturers even run vulnerability disclosure programmes. Affected products could range from network routers to medical devices and DVRs to baby monitors.

What’s in the PSTI Act?

This is where the PSTI Act comes in. It is actually two pieces of legislation in one, but it is the first half, on “product security”, that we’re interested in. The aim is simple: to make consumer-grade IoT kits sold in the UK more secure by default. It mandates that manufacturers, distributors and importers follow strict rules on IoT products. The inclusion of the latter two entities is intended to ensure organisations can’t simply bypass the rules by importing insecure products from outside the country.

So what does it mandate? Building on the ETSI EN 303 645 (5.1 to 5.3) standard and, for security reporting, ISO/IEC 29147, there are three key elements:

Passwords:

Must be unique for each product or defined by the user. Factory-determined passwords must not be easy to guess or enumerate.

Vulnerability disclosure:

There must be at least one point of contact in the manufacturer/distributor/importer, and when they receive a security report, they must acknowledge it and send updates until a resolution has been achieved.

Minimum security update period:

Information must be published on the update period. There is no stated minimum, only that it must be published. It also says that the period cannot be shortened, but it can be extended.

IoTSF managing director John Moor tells ISMS.online that these requirements are part technical and part process-based.

“Manufacturers will need to design products that have unique and strong passwords ‘out of the box’, and users should be able to change these. This has clear implications for how products are designed. The second requirement is an attempt to ensure that security is maintained – that known vulnerabilities can be fixed in the field or, in extreme situations, recalled. This means all companies are required to have a process whereby ‘researchers’ or lay-persons may contact the supplier and report security issues,” he adds.

“The third requirement is there to inform the consumer as to what can be expected in terms of security maintenance – this also has an implication for the design phase – how will security updates be enabled? What is the process for mass updates?”

Organisations in breach of the act can be fined up to £10m or 4% of their global annual revenue, whichever is higher. The PSTI Act also gives the secretary of state the power to issue stop and recall notices.

How Does it Tally with the European Regime?

The equivalent regime in the EU is the Cyber Resilience Act (CRA), which is still working its way through the bloc’s lawmaking institutions. It appears to set a higher bar when it comes to IoT security, mandating IoT products are produced with a secure-by-default configuration, with no exploitable vulnerabilities, and feature appropriate authentication mechanisms as well as data encryption, if relevant. Risk and conformity assessments will also be required while they are not in the UK.

For those organisations operating in the UK and EU, compliance shouldn’t be hard as long as they stick to the more rigorous EU regime.

“Fortunately, there has been ongoing dialogue with UK authorities and their respective counterparts in the EU. To our best knowledge, companies will be able to align UK and EU requirements without significant overhead,” says Moor.

“Schedule 4 sets out the minimum amount of information which is required to be stated in a statement of compliance. Manufacturers will have to supply a minimum amount of information on their statement of compliance and a signature to make the declaration of compliance official. A copy of the statement must be retained for at least 10 years.”

The UK PSTI Act comes into force in April 2024, while the CRA will likely not land until late 2025, meaning manufacturers and importers have more time to prepare, Bridewell principal consultant Alan Blackwell tells ISMS.online.

Does it Go Far Enough?

There is still some debate over whether the PSTI Act is a missed opportunity to introduce a higher bar for IoT security. Blackwell explains that it draws from both ETSI EN 303 645 and a UK Code of Practice for Consumer IoT Security, which was published back in 2018.

“But only the top three [ETSI] requirements, out of a total of 13, have made it into the first version of the regulations. For example, one of the current omissions is the need to provide secure communications over the internet,” he adds. “Over time, we hope to see the act build on the initial three requirements to include some more from the UK Code of Practice and ETSI.”

The IoTSF’s Moor agrees, describing the law as a “necessary first step” which will provide a foundation to build on.

“Regulation is a fine balancing act between achieving its stated goals and avoiding unintended consequences – in this case, not stifling innovation,” he argues. “The approach the UK government has made is sensible – it sets a minimum level of requirements and will evolve these over time as necessary.”

Bridewell’s Blackwell claims that enforcement of the law will ultimately determine how effective it is in improving baseline security in the industry.

“We would expect the regulation will start off with a light touch to begin with while manufacturers, distributors and importers get themselves sorted. But traditionally, with these kinds of cybersecurity regulations, we see enforcement action from the regulator starting to increase after a few years,” he concludes.

Still, with the PSTI Act now in force, organisations should not waste any time in making the appropriate technical and process changes needed to comply.