The long-awaited Product Security and Telecommunications Infrastructure (PSTI) Act of 2022 has finally kicked in, placing new legal duties on manufacturers of electronic and smart home devices to protect consumers and businesses across the UK from data privacy violations and cyber attacks by implementing minimum basic security standards within their products.
Billed by Westminster as a world’s first, the PSTI Act’s genesis dates back over five years to the introduction of an Internet of Things (IoT) Code of Practice in October 2018, which was jointly developed by the National Cyber Security Centre (NCSC) and what was then the Department for Digital, Culture, Media and Sport (DCMS). The PSTI Act’s journey through Parliament began in November 2021, and it received Royal Assent from King Charles III on 6 December 2022.
The legislation bans devices from accepting default or easily-guessed, insecure passwords, forces manufacturers to publish contact details so that bugs and issues can be reported, and forces both manufacturers and retailers to be open with consumers on the minimum time that they can expect to receive security updates and software patches.
While most of the devices in scope are manufactured outside the UK, the PSTI Act also applies to any organisation importing or retailing products in the UK, with failure to comply constituting a criminal offence attracting a fine of up to £10m or 4% of qualifying global revenue, whichever is higher.
Westminster said the legislation marked a “significant step” towards boosting society’s resilience to cyber crime – 99% of adults in the UK are now thought to own at least one smart device, and collectively, each household in the country owns nine on average. It said the new regime would give users confidence that they can safely buy and use smart products, in turn helping grow the economy.
“As every-day life becomes increasingly dependent on connected devices, the threats generated by the internet multiply and become even greater,” said cyber minister Jonathan Berry, 5th Viscount Camrose.
“From today, consumers will have greater peace of mind that their smart devices are protected from cyber criminals, as we introduce world first laws that will make sure their personal privacy, data and finances are safe.
“We are committed to making the UK the safest place in the world to be online and these new regulations mark a significant leap towards a more secure digital world,” he said.
NCSC deputy director for economy and society, Sarah Lyons, added: “Smart devices have become an important part of our daily lives, improving our connectivity at home and at work; however, we know this dependency also presents an opportunity for cyber criminals.
“Businesses have a major role to play in protecting the public by ensuring the smart products they manufacture, import or distribute provide ongoing protection against cyber-attacks and this landmark Act will help consumers to make informed decisions about the security of products they buy,” said Lyons.
“I encourage all businesses and consumers to read the NCSC’s point of sale leaflet, which explains how the new PSTI regulation affects them and how smart devices can be used securely,” she added.
Welcome legislation
Among cyber security practitioners, the PSTI Act has been broadly welcomed, particularly those parts of it that pertain to poor password hygiene, which has frequently been a contributing factor in cyber attacks such as those orchestrated via the infamous Mirai botnet in late 2016.
The Mirai attack saw hundreds of thousands of smart devices coopted into a botnet which was used to conduct distributed denial of service (DDoS) attacks, and was one of the first major security incidents to highlight how vulnerable unsecured smart devices are to being hijacked by ne’er-do-wells.
NCC Group head of UK markets, Matt Thomas, was among those to give their thumbs up to the legislation.
“The cyber security industry has long been calling for enhanced legal protections for connected devices, and today’s law marks a key turning point in our pursuit of securing our connected future,” said Thomas.
“As all but a few UK adults own at least one smart device, the effects of this law will be far-reaching and show the government is serious about boosting the UK’s cyber resilience. We are pleased to see the UK is intent on leading on this issue on the global stage too, passing the world’s first law to protect consumer privacy, data and finances.
“While the law is limited in protecting against the risk of highly complex attacks, such as supply chain and nation state, it is going to help stop a lot of the more widespread, less complex attacks. It is definitely a step in the right direction.”
Kevin Curran, Ulster University professor of cyber security and a senior member at the Institute of Electrical and Electronics Engineers (IEEE), said: “It’s widely understood that the more devices you connect to the internet, the higher the risk of being hacked. It means that you are more likely to have neglected devices which are not updated and hence more vulnerable to attacks. The scale of deployment of these devices in households and public areas introduces new avenues for attacks. There is also concern over the ‘domino effect’, where the compromise of one device could easily spread throughout the entire network.
“The IoT exposes us all to some degree of risk. Despite their perceived simplicity, these devices hold unexpected power to disrupt when left unpatched or poorly managed. The widespread use of default passwords from manufacturers typically led to significant issues, with hackers increasingly exploiting this vulnerability. It’s encouraging to see growing emphasis on implementing best practices in securing IoT devices before they leave the factory.
Curran continued: “As well as stronger passwords, it’s essential to establish comprehensive preventative, detective and corrective controls through a combination of policies, standards, procedures, organisational structures, software technologies, and monitoring mechanisms. These measures are crucial for mitigating the risks related to the confidentiality, integrity and availability of information assets within an organisation.”