The passing of the Product Security and Telecommunications Infrastructure (PSTI) Act on the 29th April marked a milestone in device security for consumer electronics. The Act stipulates that manufacturers must adhere to three requirements by law; passwords need to be secure; manufacturers have to provide clarity around reporting bugs or security issues; and they must be transparent about how long customers will receive security support for.
The PSTI Act followed on from the ETSI standards, the main difference being the standards were guidelines whereas the PSTI Act has been entered into law, explained Kamran Jehangir, Technical Consultant at Eseye in a conversation with IoT Insider.
“There’s been a lot of talk [about how the legislation came about] because there’s been an increase in IoT devices coming onto the UK market being sold on various platforms worldwide,” he said. “It was realised there was also an increase in cybersecurity threats, especially in consumer products. Tech companies will always safeguard their networks but as consumers we don’t always think about it.”
Consumer devices like smartphones and laptops may be thought about in relation to cybersecurity concerns, but the rise in smart devices means fridges or printers which are connected to Wi-Fi need to be thought about, too. “With technology changing and advancing all of the time, these measures need to be taken to protect and enhance the resilience of these devices that are coming onto the market,” underscored Jehangir.
Depending on where the device is bought, too, some come with lots of instructions on how to set the device up, sort out the password, etc., while others don’t provide enough detail on security, “this is a massive concern,” said Jehangir. “It leaves consumers wide open for attacks and data theft, and so on.”
Jehangir expressed his opinion that the Act isn’t strict enough, because loopholes that can be exploited need to be looked at, and it only focuses on three major points.
Further certification – IASME Certification, which Eseye offers as one of the first IoT connectivity providers to do so – is available and isn’t required, but Jehangir explained is beneficial for manufacturers. “I think the further certification is more detailed,” he said. “It looks at, for example, how your data is transferred between the device servers or an endpoint. Is it a secure transfer? How many ways are there to plug a computer into the device, for example, is it secure?”
In spite of what the Act signifies in taking a stride towards enforcing cybersecurity, there is concern from the industry that manufacturers aren’t prepared to comply.
As a result, Eseye has been actively involved in putting out information and educational manufacturers to help manufacturers understand what’s required of them. “We’re putting advisory information out to say look, there is a certification you can get which is not compulsory, but it is one way of saying you align with the PSTI requirements as a manufacturer.
“This is a slow conversation because uptake on the Act has been slow. I think there hasn’t been enough information sent out to manufacturers which is why we’re trying to fill that gap.”
A smart printer is an example of a device that falls under the PSTI Act, because it connects to Wi-Fi and is a consumer product, or a smart fridge. Medical devices are governed by a different legislation stipulating security requirements, as are EV chargers.
In talking to Jehangir, I was struck by the vastness of the devices that qualify and noted this. “People don’t always understand this,” he said. “Even your phone is an IoT device. You have data on there, you have it connected to the internet most of the time. Do you know what security is in place?”
Jehangir likened it to the GDPR Act: “When it was first introduced, nobody was bothered. Companies began getting fined for not looking after people’s data properly and all of a sudden there was a mad rush. I think the PSTI Act is going to follow suit.”
In their efforts to “get the message out there,” as Jehangir put it, I commended him and the Eseye team for their tireless work in continuing to educate and support manufacturers. “It’s not really about getting fined, it’s about securing devices,” he concluded. “That’s why we’re concerning ourselves with it and have taken this step to make sure we have the knowledge to pass onto our customers and anyone else who wants to come to us for advice.”
There’s plenty of other editorial on our sister site, Electronic Specifier! Or you can always join in the conversation by commenting below or visiting our LinkedIn page.