The Product Security and Telecommunications Infrastructure (PSTI) Act makes cyber security a legislative requirement for all digitally connected products and telecommunications infrastructure in the UK. It was enacted into UK law on 6 December 2022 and is due to come into force on 29 April 2024.
The number of smart products available in the UK is increasing. These devices range from smart meters and internet-connected CCTV to smart speakers and cookers. Unfortunately, some of these devices can be poorly secured and can be easy targets for hackers and organized crime groups.
The cyber security skills shortage: What skills are missing?
Internet of Things (IoT) devices, which are already in heavy use across the business world, also come with a number of privacy and security concerns. Without a proper IoT security strategy, companies put themselves at risk of compromise through distributed denial of service (DDoS) attacks or costly data breaches that used connected devices as a backdoor.
The evolving threat landscape demands strong controls for digitally connected devices. For example, November 2023 the cyber security firm Akamai released a research paper detailing how the Mirai botnet is targeting routers and network video recorder devices that still use default administrator credentials.
What is the PSTI Act and what does it set out?
The PSTI Act is divided into two sections; the first is focused on smart product security, whilst the second part details the legislative framework around telecommunications infrastructure security regulations.
“The Act is relatively modest in the requirements it currently imposes,” says Aonghus Heatley, a director at Fieldfisher. “The current one for passwords is that they can’t be based on incremental counters, they can’t be based on or derived from publicly available information and they can’t be based on or derived from a product identifier, such as a serial number; otherwise, they can be guessable.”
Some manufacturers ship devices with default passwords such as ‘admin’ which hackers can easily guess. The Act bans this practice and requires companies that make, import, or distribute digitally connected products oversee product resilience and engage with security researchers over any potential or exploited vulnerabilities within them.
Discover where network monitoring tools fail based on end-user connectivity
The PSTI Act does not just apply to manufacturers but to importers and retailers as well. Most products are now created outside the UK. Therefore, any organization responsible for manufacturing, importing, or retailing new digital devices or infrastructure, for the UK market, is subject to this Act.
Failure to comply with the PSTI Act is a criminal offense, with fines up to £10 million ($12.73 million), or 4% of qualifying worldwide revenue, whichever is higher.
The Office for Product Safety and Standards (OPSS) has been granted legislative powers to ensure organizations comply with the PSTI Act. The OPSS is relatively new and is intended to deliver a unified approach across the country, rather than relying on trading standards that operate at a local authority level.
Are businesses prepared for the PSTI Act?
The impending deadline of the PSTI Act has caused concerns for some organizations, due to the amount of work required to ensure they are fully compliant with the Act.
Other than the consultation period, there has been a lack of awareness about the PSTI Act and its coming enforcement, by some sectors of the UK market. “A lot of our clients weren’t aware of the Act, but retailers like John Lewis and other big companies are saying to them they need to get their products in line,” says Heatley.
The PSTI Act seeks to improve the resilience of supply chains, inclusive of manufacturers of digitally connected products, by imposing new compliance and record-keeping requirements on these firms. Some organizations outside of the UK are struggling to meet the enforcement deadlines, primarily due to the amount of change required in their manufacturing process.
“Non-UK manufacturers aren’t really aware of this,” says Heatley. “A lot of our clients are finding that they are telling their suppliers, but they're getting a lot of pushbacks because this is a UK specific Act.”
There is also a certain amount of confusion over what is required by some elements of the PSTI Act. “The Act is not quite as complete as I would want and it’s a little bit ambiguous in many of the things it demands,” says Steve Jacques, security systems engineer at Juniper Networks.
“It’s very quick to highlight how vendors of IoT devices and telecommunications operators might be punished and the things that are expected of them, but very little guidance on how they actually achieve that.”
Some organizations are uncertain whether pin-codes count as a password in the legislation. Whilst a pin-code fulfills the same function as a password, it could be argued that a pin-code for a lock screen does not come under the Act, because it is not associated with internet connectivity.
What does the PSTI Act mean for business strategy?
Due to the PSTI Act, retailers and importers are having to negotiate with manufacturers about changing their manufacturing process so their products can be sold in the UK.
These renegotiations have associated legal fees, due to the cost of changing the terms of contracts. As the PSTI Act does not provide assistance for the costs, this will be an additional financial burden that organizations will be expected to bear.
“The cost implications are massive. We have some providers who are having to wholesale replace hardware and a lot who are having to renegotiate contracts,” says Jacques. “The Act talks about timescale requirements for fixing found vulnerabilities and that is pushed towards the provider, but the provider has no control over that, as they may be dealing with hundreds of suppliers – that means they have to legally or contractually force those same timeframes and obligations on to the vendors.”
Unfortunately, some companies are experiencing resistance to these demands from manufacturers, who would have to change their processes for a single market. Retailers with a significant market share, such as Currys and Argos, will have the most influence over those who manufacture products for the UK.
The PSTI Act provides a framework for regulatory compliance regarding cyber security security. As it currently stands, the Act demands relatively modest requirements. It is expected that these demands will grow and expand through additional supplementary regulations. Furthermore, changes are not limited to the UK, as the EU’s Cyber Resilience Act is currently being developed.
“If you look at the source of the three rules, there are a lot of other requirements that could be brought in,” says Heatley. “This Act alone will bring in more requirements, but there'll be general obligations under new product safety laws, which will impose consumer requirements too.”
With the importance of cyber security coming to the fore, the Product Security and Telecommunications Infrastructure Act is the government’s first step in legislating minimum security requirements for smart products and telecommunications infrastructure. Organizations need to remain aware of their responsibilities under the PSTI Act, as the requirements will expand over time.
