UL Solutions recently held a webinar on the newly passed UK PSTI regulation, which put into law requirements for manufacturers of devices to ensure strong passwords, provide clarity on security updates for devices and inform customers on how long they will receive security support for.
The webinar brought together experts Jackie White, Enforcement Manager, product regulation – internet security, Office for Product Safety and Standards (OPSS); Angelo D’Amato, Lead Principal, cybersecurity group and Fergus Wong, Solution Architect, cybersecurity group and Gaurav Manchanda, Senior Advisor all from UL Solutions to share information and insights on the regulation, specific cases and how UL Solutions can provide support.
Manufacturers, as well as importers, distributors and retailers who place these in scope products in the UK are all responsible for complying, and failure to comply can result in a hefty fine or the prohibition of distribution or sales of a product.
The market challenges revolving around this regulation, as outlined by Gaurav Manchanda, include understanding the regulation and technical requirements; understanding the password requirement; difficulties drafting a correct SoC; scoping the products; implementing a robust vulnerability policy and assistance in documentation review.
A major question raised during the webinar was what products fall within the remit of the legislation. Consumer connectable products apply, but there were questions that dug in deeper about how the regulation works, for instance, if a product is used by both a business and consumers; like a smart printer at the library.
“For every scenario we need to look at it on a case by case basis, so if a product has been sold to a business and is used in a business premises, that wouldn’t make it a consumer product, even if consumers are going to use that product,” stated White. “However, you need to look at the product itself: if that same product in the business premises is also a UK consumer connectable product and the manufacturer should be aware, then that would bring the product into scope and it would need to comply.”
Because of the concern around relevant products, Angelo D’Amato took some time to talk through the regulation and its corresponding notes, stressing that these notes were “crucial” in order to understand the regulation, particularly for businesses or individuals who aren’t as clued up on legal terms.
When evaluating a product’s compliance, said D’Amato, this needs to depend on three concepts: hardware, the manufacturer’s intended purposes and security/software updates. “The manufacturer’s intended purpose plays a key role in the UK PSTI regulation in a couple of ways. Firstly, because you can understand the applicability of PSTI to your product, which applies if it’s a consumer connectable product, and secondly, because it enables a risk-based approach based on the purpose of the product and what the risk level is.”
Fergus Wong referred to government information to reference when you are unclear about what product applies. “Common products that will likely fall into the scope include products with a cellular network capability such as smartphones, laptops and tables. Cameras, fitness trackers, children’s toys and baby monitors are likely to be in scope too,” Wong explained.
Jackie White, who represented the products regulator OPSS at the webinar, was quick to reassure participants that the way in which they identify and respond to non compliance is “proportionate”, and “in a pragmatic manner”. Surveillance from the OPSS on what products comply began on the 29th April, as soon as the regulation came into force.
“We have to understand what concerns businesses have and their approach to compliance and any challenges they have, information which is invaluable to us,” White explained.
There’s plenty of other editorial on our sister site, Electronic Specifier! Or you can always join in the conversation by commenting below or visiting our LinkedIn page.