For manufacturers selling smart devices in the UK, the Product Security and Telecommunications Infrastructure (PSTI) Act came into force on 29th April 2024, stipulating that smart devices sold to the UK must be designed to enforce greater security.
The purpose of the legislation is to ensure enhanced security around devices which have been subject to hackers seeking to acquire personal information; such as televisions, smart watches, security cameras, baby monitors and more.
“Smart devices have in the past been compromised at scale by cybercriminals. The objective of the new requirements is to prevent such security breaches, for example by strengthening default passwords. Other requirements (and more will be added in future) include providing information to the public on how to report security issues and on minimum security update periods (such as in an End-of-Life policy),” explained Aonghus Heatley, Product Law Expert and Director at Fieldfisher. “If you are selling a product, it’s your responsibility to make sure the product complies with the new requirements.”
The new law stipulates that manufacturers must adhere to guidelines; passwords made must be more secure and cannot follow sequences such as 123; manufacturers must provide clarity around reporting bugs or security issues; and they must inform customers how long they will receive security support for.
Failure to comply could result in fines or the Office for Product Safety and Standards (OPSS) has the power to prohibit distribution or sales until a product complies.
Although this marks a big step being taken towards eliminating insecure or weak passwords – as devices must prompt users to make a new password if it’s deemed weak (such as using ‘123’ or ‘admin’) – concerns around the security of smart devices has gone back several years.
Earlier this year, IoT Insider reported that the European Commission’s Cyber Resilience Act is on the brink of becoming the most encompassing cybersecurity legislation for products. Although, at the time of reporting, manufacturers argued that a 36-month transition period was seen as “insufficient” owing to the years that go into product and software development.
And in May 2023, Jason Blake, Scheme Manager for the IoT Certification at the IASME Consortium discussed in length about the PSTI Act and how manufacturers need to prepare.
Ahead of the law being passed, Iain Davidson, Senior Product Manager at Wireless Logic advised: “PSTI is just around the corner, so it’s time for manufacturers, distributors and solution providers to ensure they’re fully prepared before the final deadline. Non-compliance isn’t just a paperwork issue – it can hit your bottom line hard.
“The new rules give authorities the power to issue directives for fixes or recall notices for any devices sold after the deadline. And if a product doesn’t comply, the Office for Product Safety and Standards (OPSS) can prohibit distribution or sales until it does.”
The UK is not alone in its concerns. In July 2023, IoT Insider reported the unveiling of the US White House’s plan for a US Cyber Trust Mark – which certifies that IoT devices marked with this label have met security criteria. Cybersecurity is the main focus of the mark and not unlike the Energy Star label – designed to inform customers of the stringent energy efficiency or cybersecurity requirements the product meets.
There’s plenty of other editorial on our sister site, Electronic Specifier! Or you can always join in the conversation by commenting below or visiting our LinkedIn page.