In less than six months, the Product Security and Telecommunications Infrastructure Act (PSTI) will launch in the United Kingdom as the world’s first initiative mandating minimum cybersecurity standards for consumer products, setting a global precedent. Full compliance is required by April 29, 2024.
As a result of the new regime, consumers and businesses in the UK can anticipate significant improvements in security protocols against cyber threats affecting devices such as phones, smart speakers, gaming consoles, and other internet-connected devices.
In this blog post, we focus on Part 1 of the PSTI Act, specifically the implementation of a Vulnerability Disclosure Policy for consumer IoT product security.
What types of products does the new law affect?
The new law applies to a broad range of consumer IoT products, including, but not limited to:
- Connected safety-relevant products like door locks
- Connected home automation and alarm systems
- Internet of Things base stations and hubs accommodating multiple devices
- Smart home assistants
- Smartphones
- Smoke detectors
- Connected cameras
- Connected appliances such as fridges, washers, freezers, and coffee machines
What are the key requirements of the legislation?
Part 1 of the Product Security and Telecommunications Infrastructure legislation stipulates the following three primary security features:
Universal default passwords will be prohibited for Consumer IoT devices. This measure aims to simplify the process for consumers to configure their devices securely, reducing the risk of hacking by cybercriminals.
Consumer IoT devices must implement a Vulnerability Disclosure Policy. Manufacturers are required to establish a plan for addressing software weaknesses, enhancing the likelihood that such vulnerabilities will be properly dealt with.
Consumer IoT devices are mandated to disclose the duration for which they will receive software updates. This ensures that manufacturers create and release timely software updates to sustain the device’s security throughout its declared lifespan.
What happens to businesses that do not obey the new law?
Non-compliance with the regulations carries significant penalties, including a maximum fine of £10,000,000 or 4% of a manufacturer’s global turnover, and additional daily penalties for sustained non-compliance. Retailers of IoT products fall under the category of ‘Distributors,’ defined as those who make products available in the United Kingdom and are not the product’s manufacturer or importer.
As distributors, they are obligated to verify the compliance of products received from manufacturers, such as through the provision of a Statement of Compliance. Failure to comply could result in severe consequences, including potential court-ordered ‘forfeiture,’ where enforcement agencies seize IoT devices to prevent their sale.
How we can help
If you are subject to legislation that requires you to have a Vulnerability Disclosure Program (VDP), we are here to assist you in fulfilling all the requirements through our managed VDP service.
By enabling the ethical hacker community to report potential vulnerabilities that may have otherwise gone unnoticed, organizations gain valuable insights into their weaknesses. Addressing these reported security bugs on time is crucial, as it not only prevents potential data breaches but also contributes to maintaining the integrity of the company’s systems.
With the support of a professional security team, our service streamlines the process, reducing the resources required for managing and validating vulnerability reports, and ensuring a more efficient and secure operational environment.
Read more about Hackrate’s managed Vulnerability Disclosure Program.
A milestone for strengthening cybersecurity on a global scale
The new regulation represents a significant milestone in providing crucial cybersecurity assurance for consumers and global networks. Recognizing the complexities of navigating a rapidly evolving cybersecurity landscape, the PSTI regime not only addresses current challenges but also adopts a forward-thinking approach, which marks a strategic and adaptive initiative for strengthening cybersecurity on a global scale.
Want to dive deeper into VDP? Our comprehensive E-book includes all about Vulnerability Disclosure Policy, with original research results, market trends, expert insights, best practices, and suggestions to strengthen your organization’s security.
