David Corlette, VP Product Management, VIPRE Security Group shares what the PSTI Act means for smart devices and what manufacturers need to adopt
Historically, many IoT devices have faced challenges with quality and security, as some manufacturers prioritised low costs to attract customers, often at the expense of robust engineering practices. This race to the bottom has left consumers vulnerable and networks exposed.
And if we have learned anything over the years it’s that cybercriminals are dogged in their drive to exploit – every device is a target, and if a security gap is found it will be ruthlessly exploited unless, of course, the manufacturer patches the hole promptly. And therein lies another problem – IoT device manufacturers aren’t always judicious when it comes to timely security patching and support, with some vendors even abandoning devices entirely and leaving consumers to their fate.
The government has taken action to hold manufacturers accountable. The first of its kind, the UK’s Product Security and Telecommunications Infrastructure (PSTI) Act tightens the cybersecurity requirements for IoT devices, intending to make smart device manufacturers a lot more responsible for security.
New regulation, new requirements
The provisions laid out in the act are practical and useful, but equally, the penalties for non-compliance are highly enforceable. Failure to comply could result in fines of up to £10 million or 4% of manufacturers’ worldwide revenue. This underscores the seriousness of the regulation. The government means business.
The PSTI Act imposes substantial new requirements on IoT manufacturers, forcing them to prioritise security investment in their product design, lifecycle management, and maintenance. While this regulation may seem burdensome, it creates a level playing field by applying the requirements equally to all manufacturers.
Although the PSTI Act only applies to the UK market, its impact will ripple across borders. Manufacturers who produce more secure devices for the UK while knowingly selling less secure versions elsewhere may face significant backlash or even legal challenges. Consequently, this dynamic will drive a global uplift in IoT security standards.
Fortunately for manufacturers, unlike many regulations, the PSTI Act provides clear, actionable guidance for compliance. This clarity is a boon as manufacturers have been provided with a reasonably clear path to what security must look like in devices. Therefore, the first step for any manufacturer should be a thorough review of the Act to ensure the regulation is correctly understood.
The maintenance challenge
While technical requirements are significant, the bigger and perhaps more transformative aspect of the PSTI Act is the focus expected on ongoing maintenance and support. For instance, manufacturers must now explicitly state how long they will support devices. This means that manufacturers must proactively monitor evolving security exploits, develop patches in near-real time, and quickly distribute them to devices to minimise and mitigate the impact. They must also provide customers with contact information to report on security issues.
These requirements effectively end the “fire-and-forget” approach to IoT devices, or the “no longer my problem” mindset, forcing manufacturers to take long-term responsibility for their products’ security.
Good security engineering practices
The PSTI Act mandates several fundamental security practices. Passwords are a good example. The Act orders the elimination of the use of default passwords. From users’ standpoint, the convenience of “plug and play” is watered down as they will need to set up their IoT devices correctly in the first instance to start using them. So, manufacturers must get creative in providing security, convenience, and simplicity for setup. Perhaps provisioning basic device configuration alongside the use of passkeys on users’ smartphones could be an option worth exploring.
The security requirements demanded in the regulation impose restrictions on the use of credentials, encryption, network access, remote updating of firmware, and so on. While these requirements may seem daunting, IoT manufacturers don’t need to reinvent the wheel. Many open-source solutions already address these challenges. As a result, their challenge is not solving these security issues – in fact, rolling out their own solutions is a bad idea. Rather the real test is to integrate these existing solutions seamlessly into user interfaces and device operations.
Key design concepts for compliance and beyond
To meet PSTI Act requirements and build truly secure IoT devices, here are some fundamental design concepts that are worth considering:
- Keep it simple: Utilise well-tested, easy-to-understand components and combine them thoughtfully
- Adopt network segmentation: Recommend that users connect devices only to internal networks that are behind secure routers or firewalls unless, of course, the device itself is a network appliance
- Secure external interfaces: For devices with external connectivity, close all default inbound ports, thereby requiring deliberate action on the part of users should they want to open them. All device-initiated communications (e.g., firmware checks) should originate from the device outbound, actively closing default inbound ports on the external interface of the device
- Empower user choice: Allow users to opt-in to features requiring network connections, ensuring they understand and accept the associated risks
- Minimise data collection: Only collect the minimal personal information that is absolutely necessary for the proper functioning of the device. This will greatly reduce potential exposure in the unfortunate event of a breach. As a suggestion, switching to passkeys means that the IoT device has no secrets to keep, so even if a threat actor manages to steal the credentials database they won’t gain anything of value
Challenge and opportunity go hand-in-hand
The PSTI Act presents both challenges and opportunities for the IoT manufacturing industry. While compliance will require significant investment in design, management, and ongoing maintenance, it also opens doors for innovation. Manufacturers who innovate to create secure, user-friendly devices will gain a competitive edge globally in this new regulatory environment.
For cybersecurity professionals, the PSTI Act provides leverage to push for better security practices within their organisations and when evaluating IoT solutions. It also emphasises the need for ongoing education and adaptation of security as the IoT landscape evolves.
The PSTI Act represents a crucial step toward a more secure IoT ecosystem. By mandating security by design and ongoing support, it addresses many of the fundamental flaws that have plagued IoT devices. Manufacturers and security professionals alike must embrace these changes, advocate for their adoption beyond the UK, and work closely across the IoT ecosystem to deliver robust, user-friendly devices and solutions.
The era of treating IoT security as an afterthought is over. It’s time to build a safer, more resilient Internet of Things. After all, the commercial potential of IoT is phenomenal. We haven’t even scratched its surface yet.
Author: David Corlette, VP Product Management, VIPRE Security Group
There’s plenty of other editorial on our sister site, Electronic Specifier! Or you can always join in the conversation by commenting below or visiting our LinkedIn page.
