Wednesday 28 June 2023

Product Security and Telecommunications Infrastructure (PSTI) Act Update

Secured by Design has informed Door & Hardware Federation (DHF) of the latest update regarding the new Product Security and Telecommunications Infrastructure (PSTI) Act, as well as how this will impact the manufacturers of IoT products going forward.

The Product Security and Telecommunications Infrastructure Act 2022 received Royal Assent on 6th December 2022 and has been enacted into law.

The government have now announced that companies have a period of a year to implement the changes put forth in the legislation, with compliance required by 29th April 2024.

This law applies to all consumer IoT products, including but not limited to connected safety-relevant products such as door locks, connected home automation and alarm systems, Internet of Things base stations and hubs to which multiple devices connect, smart home assistants, smartphones, smoke detectors, connected cameras, connected fridges, washers, freezers, and coffee machines.

DHF’s General Manager & Secretary, Michael Skelding explains:

“Whilst consumer connectable products such as those listed above offer huge benefits for people and businesses to live better connected lives, to date, the adoption of cyber security requirements within these products is poor.

“Just one in five manufacturers entrench basic security requirements in consumer connectable products, although consumers overwhelmingly assume these products are secure.”

Whilst connectable consumer products have previously had to comply with existing regulation to ensure that they will not directly cause physical harm from issues such as overheating, environmental damage or electrical interference, they have not been regulated to protect consumers from cyber harm such as loss of privacy and personal data. 

To close this regulatory gap, the government introduced the Product Security and Telecommunications Infrastructure Act.

Michael says:
“The Product Security and Telecommunications Infrastructure Act 2022 requires manufacturers, importers, and distributors to ensure that minimum security requirements are met in relation to consumer connectable products that are available to consumers.” 
“It also provides a robust regulatory framework that can adapt and remain effective in the face of rapid technological advancement, the evolving techniques employed by malicious actors, and the broader international regulatory landscape.”  

Many IoT products are still produced with a default password either commonly used (such as password) or easily obtainable online. Hackers know and regularly exploit this vulnerability.

The PSTI legislation covers the following three main security features:

Consumer IoT devices will not be allowed to have universal default passwords – this makes it easier for consumers to configure their devices securely to prevent them being hacked by cyber criminals.

Consumer IoT devices will have to have a vulnerability disclosure policy - this means manufacturers must have a plan for how to deal with weaknesses in software meaning it is more likely that such weaknesses will be addressed properly.

Consumer IoT devices will need to disclose how long they will receive software updates - this means that software updates are created and released to maintain the security of the device throughout its declared lifespan.

The regulatory framework within the law enables the government to take a range of actions against companies that are not compliant with it by 29th April 2024.

This includes Enforcement Notices: Compliance notices, Stop notices and Recall notices; Monetary penalties: the greater of £10 million or 4% of the company’s qualifying worldwide revenue and Forfeiture: of stock is in the possession or control of any manufacturer, importer or distributor of the products, or an authorised representative.

Michael continues:
“Secured by Design’s (SBD) Secure Connected Device accreditation scheme, developed in consultation with the Department for Science, Innovation and Technology (DSIT), helps companies to get their products appropriately assessed against all 13 provisions of the ‘h standard’, a requirement that goes beyond the Government’s legislation, so companies can not only demonstrate their compliance with the legislation but help protect themselves, their products and customers,”

The SBD Secure Connected Device IoT Assessment identifies the level of risk associated with an IoT device and its ecosystem, providing recommendations on the appropriate certification routes with one of the SBD approved certification bodies.

Once third-party testing and independent certification for a product has been achieved, the company can apply to become SBD members, with the product receiving the SBD’s Secure Connected Device accreditation, a unique and recognisable accreditation that will highlight products as having achieved the relevant IoT standards and certification.

Michael says:

“It is vitally important to ensure that all IoT products have the right level of security in place to protect consumers and reduce the risk of them falling victim to cyber-crime.

“Adverse publicity due to a cyber incident could be catastrophic to the reputation of the product and company.”

In 2021 Which? undertook a study to look at how a smart home could be at risk from hackers, setting up their own smart home. This detected more than 12,000 scanning or hacking attempts in a single week.

Without the appropriate levels of security, any internet connected device or app is at risk of being readable, recognisable, locatable, and/or controllable via the internet, thus providing cyber criminals with the ‘key’ in accessing and stealing personal data.

This can then be used for a multitude of criminal purposes, including burglary, theft, blackmail, harassment, and stalking.

Michael concludes:

“Compliance with the Secure Connected Device accreditation sends a clear message to the wider industry of the importance of IoT security and companies accredited to this SBD standard will lead by example and be at the forefront of the IoT revolution.

“In so doing, it will help to keep their customers and the public safer from the risk of a cyber breach. The Secure Connected Device accreditation is the only way for companies to obtain police recognition for the security of their IoT products in the UK.”
Find out more on SBD’s Secure Connected Device accreditation at

Why not Sign-up to Receive these Articles by Email each Day on our newsfeed site

>> Scroll down to read more articles like this which have been published recently on this blog <<

You can also read additional current and archived articles on our dedicated magazine website

Low Cost and Free Publicity - Your company can easily benefit from some publicity like the posts above for a contribution towards our layout costs (£75 to £95 plus VAT), payable in advance or you can receive the service absolutely free of charge if you advertise (see below).

We post articles up to twice a day and never delete them - we only archive them each year so that they continue to remain visible to search engines.

To have your story published - just send us your news item, logo and image(s) and we will review the material, make any necessary changes to the wording / wordcount and then advise you when it will be published.

If you are a regular advertiser in our printed and online publications, placing series bookings for adverts or subscribing to our VIP Packages, you will qualify for a specific number of free postings on this blog while you continue to advertise with us. See our media pack for more details.

Also, if you purchase one of our Online and Print Combo packages, Featured Articles or Advertorial packages shown in our media pack, posting on this blog is included in the price.

For details and rates for all of our advertising options in print and online, download our media pack contact us or visit our website.

Door Industry Journal is a trading style of Avalon Innovations LLP - Company No. OC364751

No comments: