Skip to main content

Less than two months to achieve compliance with the PSTI Act

Companies now have less that two months to ensure compliance with the Product Security and Telecommunications Infrastructure Act 2022, with compliance with the law required by 29th April 2024.

With the end of April 2024 less than two months away, what will happen to companies whose IoT connected products are not compliant with the new law? 

What does the law cover?

This law applies to all consumer IoT products, including but not limited to:

  • connected safety-relevant products such as door locks
  • connected home automation and alarm systems
  • Internet of Things base stations and hubs to which multiple devices connect
  • smart home assistants
  • smartphones
  • smoke detectors
  • connected cameras
  • connected fridges, washers, freezers, coffee machines 

The expert’s view 

Secured by Design’s resident IoT expert Michelle Kradolfer explains the consequences of non-compliant products to companies.

“The Product Security and Telecommunications Infrastructure Act requires manufacturers, importers and distributors to ensure that minimum security requirements are met in relation to consumer connectable products that are available to consumers and provides a robust regulatory framework that can adapt and remain effective in the face of rapid technological advancement, the evolving techniques employed by malicious actors, and the broader international regulatory landscape. 

“Currently the adoption of cyber security requirements within these products is poor - only 1 in 5 manufacturers embed basic security requirements in consumer connectable products, although consumers overwhelmingly assume these products are secure. Indeed many IoT products are still produced with a default password either commonly used (such as password) or easily obtainable online. Hackers know and regularly exploit this vulnerability. 

“When it comes to harassment and stalking for example, insecure technology can provide new opportunities for abusers to control, harass and stalk their victims, and we have seen many examples of this happening already. We’ve also seen a smart thermostat in a fish tank being hacked and used as entry way to access a casino’s database of ‘high rollers’ containing personal and financial information, as well as a residential building in Finland suffering a cyber attack on their smart heating system, causing the warm water and heating to be shut off for a week during the winter months. 

“In 2021 Which? undertook a study to look at how a smart home could be at risk from hackers, setting up their own smart home. This detected more than 12,000 scanning or hacking attempts in a single week. Without the appropriate levels of security, any internet connected device or app is at risk of being readable, recognisable, locatable, and/or controllable via the internet, thus providing cyber criminals with the ‘key’ in accessing and stealing personal data. This can then be used for a multitude of criminal purposes, including burglary, theft, blackmail, harassment and stalking.” 

What does the legislation require?  

The Product Security and Telecommunications Infrastructure legislation covers the following three main security features:

  • Consumer IoT devices will not be allowed to have universal default passwords
    This makes it easier for consumers to configure their devices securely to prevent them being hacked by cyber criminals
  • Consumer IoT devices will have to have a vulnerability disclosure policy
    This means manufacturers must have a plan for how to deal with weaknesses in software which means it's more likely that such weaknesses will be addressed properly
  • Consumer IoT devices will need to disclose how long they will receive software updates
    This means that software updates are created and released to maintain the security of the device throughout its declared lifespan

What needs to be done?

Businesses who produce or supply IoT connected products need to ensure that they are sighted on the new law and have taken the appropriate steps to ensure that they are compliant with its requirements.  

These minimum security requirements contained within the law are based on the UK’s Code of Practice for Consumer IoT security, the leading global standard for consumer IoT security ETSI EN 303 645, and on advice from the UK’s technical authority for cyber threats, the National Cyber Security Centre. 

The regime will also ensure other businesses in the supply chains of these products play their role in preventing insecure consumer products from being sold to UK consumers and businesses. 

What are the penalties for not complying with the legislation? 

The robust regulatory framework within the law contains an enforcement regime with civil and criminal sanctions aimed at preventing insecure products being made available on the UK market within it. This enforcement regime enables the government to take a range of actions against companies that are not compliant with the law by 29th April 2024. This includes: 

  • Enforcement Notices: Compliance notices, Stop notices and Recall notices 
  • Monetary penalties: the greater of £10 million or 4% of the company’s qualifying worldwide revenue 
  • Forfeiture: of stock which is in the possession or control of any manufacturer, importer or distributor of the products, or an authorised representative

How can SBD’s Secure Connected Device accreditation help with compliance? 

Secured by Design’s (SBD) Secure Connected Device accreditation scheme, developed in consultation with the Department for Science, Innovation and Technology (DSIT), helps companies to get their products appropriately assessed against all 13 provisions of the ETSI EN 303 645 standard, a requirement that goes beyond the Government’s legislation so that companies can not only demonstrate their compliance with the legislation but help protect themselves, their products and customers. 

The SBD Secure Connected Device IoT Assessment identifies the level of risk associated with an IoT device and its ecosystem, providing recommendations on the appropriate certification routes with one of the SBD approved certification bodies. Once third-party testing and independent certification for a product has been achieved, the company can apply to become SBD members, with the product receiving the SBD’s Secure Connected Device accreditation, a unique and recognisable accreditation that will highlight products as having achieved the relevant IoT standards and certification. 

Compliance with the Secure Connected Device accreditation sends a clear message to the wider industry of the importance of IoT security and companies accredited to this SBD standard will lead by example and be at the forefront of the IoT revolution and in doing so will help to keep their customers and the public safer from the risk of a cyber breach. 

The Secure Connected Device accreditation is the only way for companies to obtain police recognition for the security of their IoT products in the UK. 

Find out more on SBD’s Secure Connected Device accreditation and the companies who have achieved it to date at www.securedbydesign.com/IoT