Advice for manufacturers on the coming PSTI regulation

TL;DR

• PSTI: The UK Product Security and Telecommunications Infrastructure (Product Security) Act
• Regulations effective from 29 April 2024
• Assess how, where, why, and when you may be affected
• Review supply chain and in-house teams for compliance readiness
• Specific obligations for manufacturers, importers, and distributors
• Use the PSTI Act and its regulations as your compliance blueprint
• Implement robust due diligence in system acquisitions
• Prepare for potential cybersecurity incidents with rigorous testing and validation
• Don’t overlook the importance of comprehensive training

Regulatory evolution

From 29 April 2024 the UK’s PSTI Act 2022, along with the Security Requirements for Relevant Connectable Products Regulations 2023, will start shaping how consumer connectable products are secured.

The PSTI bill became an Act of Parliament after achieving Royal Assent in December 2022. Its detailed regulations were established in September 2023 and aim to improve the security standards of smart products. This is a pivotal moment for manufacturers, importers, and distributors, imposing new compliance measures to safeguard against cyber threats.

Implications for manufacturers and vendors

This regulatory overhaul extends its reach to the core economic actors in the product lifecycle; manufacturers, importers, and distributors of smart products. The Act delineates their responsibilities, emphasising the critical role of authorised representatives in ensuring compliance for overseas manufacturers.

Obligations

• Manufacturers must meet specified security requirements, including the production of a compliance statement that travels with the product.
• Importers and Distributors share the onus to ensure products are not released into the market without the said compliance statement.
• Authorised Representatives are tasked with upholding the manufacturers’ commitments, underpinning the Act’s intent to maintain stringent security standards across the board.

What are ‘relevant connectable products’?

The Act clarifies which products fall under this new regulatory regime, categorising them based on their connectivity capabilities while excluding certain products. Entities must navigate these definitions to ascertain their compliance obligations.

Security requirements unpacked

The regulations lay down explicit security mandates, from unique product passwords to transparent reporting mechanisms for security issues, alongside clear directives on security update commitments. These requirements are the backbone of the regulatory framework, ensuring products are fortified against cyber vulnerabilities.

Four key principles

The UK’s PSTI Act and its 2023 Regulations introduce comprehensive security requirements for connectable consumer products, centred on four key principles designed to significantly raise the cybersecurity bar. These principles are crafted not only to protect consumers but also to ensure that manufacturers, importers, and distributors embed cybersecurity into the DNA of their products. Here’s a detailed exploration of each principle:

Passwords …must be unique per product, or capable of being defined by the user of the product

This principle mandates that products must not come with any universal default passwords, nor should they possess easily guessable or resettable credentials. Each product must either have a unique password or allow the user to set a secure password upon initial setup. This measure directly addresses the common security vulnerability where attackers exploit default or weak passwords to gain unauthorised access.

Additionally, any unique passwords generated for products must avoid simplicity, such as incremental counters or information easily linked to the device, unless encrypted or hashed using industry-recognised secure methods.

Defined length of product support

Manufacturers are required to clearly communicate the minimum period during which security updates and support will be provided for their products. This includes publishing an end date for support, ensuring consumers are informed about the lifespan of the product’s security maintenance.

This transparency allows users to make informed decisions regarding the products they choose to purchase and use, understanding the duration of security support and the implications for the product’s lifecycle.

Vulnerability disclosure policy

The regulations stipulate that manufacturers must establish a clear and accessible policy for reporting security vulnerabilities. This includes providing detailed information on how consumers or researchers can report potential security issues, along with the expected timelines for acknowledgment and updates on the issue’s resolution. Such policies are crucial for a collaborative security posture, encouraging responsible vulnerability disclosure and ensuring that manufacturers can promptly address and mitigate risks.

Mandated compliance statement

A critical component of the new regime is the requirement for a compliance statement to accompany every connectable product. This statement must detail adherence to the specified security requirements, including the measures taken to comply with the principles outlined above. Importers and distributors are also held accountable, with a duty to ensure that no product is made available on the market without this essential compliance statement.

Furthermore, both manufacturers and importers are obliged to retain a copy of the compliance statement, reinforcing the importance of documentation and accountability in the product supply chain.

These principles represent a strategic framework aimed at enhancing the security of connectable products within the UK. By adhering to these guidelines, stakeholders across the product supply chain can contribute to a safer digital environment for consumers, mitigating the risks associated with cyber threats and vulnerabilities.

What does non-compliance look like?

The enforcement of the UK’s Product Security and Telecommunications Infrastructure (PSTI) Act 2022 and the 2023 Regulations marks a pivotal shift towards stricter oversight of connectable consumer product security. Central to this regime is the role of the Office for Product Safety and Standards (OPSS), which, under an MoU with the Department for Science, Innovation, and Technology (DSIT), is vested with the authority to enforce these new standards starting from 29 April 2024.

The OPSS is not just tasked with ensuring adherence to the regulations but also with imposing penalties on entities that fail to comply. These penalties are not nominal; they are designed to incentivise compliance and reflect the seriousness with which the UK government views the security of connectable products.

Fines

In the event of a breach of the PSTI Act or its accompanying regulations, the penalties can be substantial:

• Fixed Penalty: An initial penalty notice may require the payment of a specified amount by the non-compliant entity. This fixed penalty serves as an immediate financial repercussion for failing to adhere to the security requirements outlined in the legislation.
• Daily Penalty: Beyond the fixed penalty, an entity that continues to breach the regulations after the specified payment period for the fixed penalty may incur a further daily penalty. This additional penalty can amount to up to £20,000 for each day the breach continues, underscoring the importance of swift compliance.
• Maximum Penalties: The legislation sets a significant ceiling for the maximum penalties that can be imposed for breaches. The relevant maximum penalty for an entity, as per section 36 of the Act, is the greater of £10 million or 4% of the entity’s qualifying worldwide revenue for its most recent complete accounting period. This scaling of penalties based on an entity’s revenue ensures that the fines are proportionate to the size and financial capacity of the business, while still representing a substantial deterrent against non-compliance.

These penalties highlight the financial risks of failing to comply with the UK’s product security regulations. They serve as a stark reminder of the importance of embedding robust security measures into connectable products and maintaining a proactive compliance posture.

Don’t get fined

To avoid these penalties, businesses involved in the manufacturing, importing, or distributing of connectable consumer products must take diligent steps to understand and implement the required security measures. Regulatory compliance in cybersecurity is not a checkbox exercise. It demands a proactive, nuanced approach to meet unique operational needs. This includes ensuring that products meet the stipulated security requirements, establishing clear vulnerability disclosure policies, and maintaining comprehensive records of compliance efforts. The PSTI Act and its regulations offer a structured path to securing connectable products, urging businesses to

• Engage in critical evaluation of their security practices.
• Embrace ‘Secure by Design’ principles, learning from sectors like Critical National Infrastructure.
• Conduct thorough assessments, including PoC testing with vendors, to ensure robust security measures are in place.
• Prepare for the inevitability of cyber incidents through diligent planning and response strategies.
• Prioritise training to cultivate a cybersecurity-aware culture.

The OPSS will leverage its existing processes and relationships to enforce the regulations in a robust and risk-based manner, taking appropriate and proportionate action against non-compliant entities. Businesses are encouraged to visit the OPSS website for information on enforcement activities and guidance on compliance best practices.

Challenges for vendors now

If a vendor has a product that doesn’t or can’t comply, should they stop selling it now? This is an important question as it will take time for product levels to run down through the supply chain. It means that returns from retailers could be significant.

Conclusion

The PSTI Act and regulations are a significant step forward in protecting consumers and end users from cyber harm. Anything that enhances product security in the UK is a good thing.

It’s not all about consumer protection though. The benefits to manufacturers and vendors can’t be understated. By adopting a strategic and informed approach to compliance businesses will not only be compliant, but will also be better equipped to deal with the ever evolving cyber threat landscape that connected products present.

You can read the Act here.