Countdown to the Product Security & Telecommunications Infrastructure (PSTI) Bill
ZARIOTZARIOT
The cyber risk landscape is rapidly changing as more devices become connected through the Internet of Things. In 2023, there were over 16 billion connected devices worldwide with the figure expected to grow exponentially every year. This trend emphasizes the significance of the PSTI BIll and IoT security measures.
As this trend continues, governments worldwide are reinforcing their commitment to protect end users' privacy and safety by introducing a raft of cybersecurity frameworks and measures.
One such initiative is the UK's Product Security and Telecommunications Infrastructure (PSTI) Bill.
The Bill was first introduced to Parliament in 2021, with the UK Department for Science, Innovation and Technology announcing it will come into force on April 29, 2024.
But what is the PSTI Bill and how does it change IoT security? Who will it apply to and how will it potentially affect your business?
We provide answers to these questions and more.
The Bill consists of two major parts:
For this article, we’ll exclusively focus on Part 1 – Product Security Measures.
Briefly speaking, Part 1 of the Bill sets out a series of clauses over four chapters.
While the PSTI Bill may come as a surprise to some, it is in line with current and upcoming IoT cybersecurity frameworks in the global legislative pipeline.
Some of these include the EU’s Cyber Resilience Act, NIS2 in the United States, the Cybersecurity Act in Singapore, and the Canadian Digital Charter Implementation Act, amongst others.
Recent research by the UK government has uncovered that only 1 in 5 manufacturers will embed basic security requirements in connectable products. Meaning that almost 80 percent of all connected consumer products (i.e., smart watches, phones, TVs, fridges, and more) are left exposed to malicious attacks by sticking to default passwords, including examples such as the following:
Before the introduction of the PSTI Bill, there was an unreasonable expectation for ordinary users to shoulder the burden of IoT security. As such, there is also no onus on service providers to prevent privacy and personal data breaches.
However, with mass IoT deployments ramping up and becoming the norm, this Bill could not have come at a better time.
The three security foundations of PSTI are as follows:
These clauses cover both "internet-connectable products" and "network-connectable products" which can send and receive data without being connected to the internet.
Even when the first draft of GDPR was published in 2012, IoT product security discussions were already underway in the UK.
These discussions resulted in both the EU and UK publishing a Code of Practice ("Code") in 2018. This Code outlined 13 provisions for manufacturers to ensure greater cybersecurity of connected products.
Consequently, this Code also influenced standards produced by the European Telecommunication Standards Institute (ETSI): ETSI EN 303 645 Cybersecurity Standard for Consumer IoT Devices.
When published in 2021, ETSI EN 303 645 was the first global cybersecurity standard for consumer IoT products. It presents a series of 68 mandatory and recommended provisions to establish a good global security baseline for all consumer-related IoT cybersecurity.
As mentioned earlier, according to Clause 7 of Part 1 of the PSTI Bill, three entities face compliance obligations.
These include manufacturers, importers, and distributors of relevant connectable products.
Clauses 8 – 24 of the Bill set out key duties for these entities including:
Generally, importers and distributors carry the same responsibilities as manufacturers with some additional duties. If it is discovered that the product contains vulnerabilities, these actors are also responsible for preventing it from being sold in the UK. Â In addition, importers and/or distributors must contact manufacturers based outside the UK if they fail to comply with any of the clauses.
Noncompliance could result in a variety of penalties as determined by The Department for Science, Information and Technology. Each penalty will correspond to the degree of harm caused to the end user.
Principal enforcement actions consist of stop and recall notices and/or public announcements of compliance failures by the offending party. Further noncompliance may also result in significant financial penalties, including potential maximum fines of £10 million, or 4% of the business’ global revenue.
Keep ahead of regulatory changes by making IoT security and data privacy a priority.
These regulations call for tangible change in governance and decision-making within businesses that extend beyond the executive leadership team. Such measures can be accomplished by taking a more proactive approach to your security practices, allowing you to anticipate challenges and minimize operational disruptions.
Organizations should also establish and enforce clear security policies and strategies to encourage the development of an organizational culture that values cybersecurity. As such, IT teams cannot stay isolated any longer and should continuously work together with management to enact necessary changes.
Rather than viewing the raft of legislation as a burden, you could also regard them as opportunities to improve customer safety and prioritize network security.
Beyond the UK, the international regulatory landscape is continuously adapting to maintain effective legislation in the face of rapid technological advancement.
As cybersecurity and data privacy regulations become more robust, take the opportunity to instill a culture of security in your organization today.
The Most Comprehensive IoT Newsletter for Enterprises
Showcasing the highest-quality content, resources, news, and insights from the world of the Internet of Things. Subscribe to remain informed and up-to-date.
New Podcast Episode
Recent Articles