The PSTI Act for Consumer IOT Explained

From: techUK
Published: Tue Apr 30 2024


The PSTI Act received Royal Assent in December 2022.

The Product Security and Telecommunications Infrastructure Act comprises two pieces of legislation:

  • Part 1 of the Product Security and Telecommunications Infrastructure (PSTI) Act 2022; and
  • The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023.

The PSTI Act received Royal Assent in December 2022.

This document aims to outline the requirements for Consumer IOT devices in the UK relating to Part 2 of the Act. The government published a full draft of the PSTI (Security Requirements for Relevant Connectable Products) Regulations in April 2023 and these regulations were signed into law on 14 September 2023.The UK's consumer connectable product security regime will come into effect on 29 April 2024.

From that date, the law will require manufacturers of UK consumer connectable products to comply with three minimum security requirements.

Context

Over the last 5 years UK Government (DCMS and then DSIT) have been working in partnership with industry to strengthen the resilience of connectable consumer devices on the UK market. This began with the development of the the UK's Code of Practice for Consumer IoT security, with the UK then leading development of the global standard for consumer IoT security ETSI EN 303 645. The PSTI Act - Part 2 is the next step in that work, legislating to mandate key security requirements across all consumer IOT devices. The regime will also ensure other businesses in the supply chains of these products play their role in preventing insecure consumer products from being sold to UK consumers and businesses.

What are the Security Requirements?

Ban default passwords. Products that come with default passwords are an easy target for cyber criminals.

Require products to have a vulnerability disclosure policy. Security researchers regularly identify security flaws in products, but need a way to give notice to manufacturers of the risk they have identified, so that they can enable the manufacturer to act before criminals can take advantage. The Bill will provide measures to help ensure any vulnerabilities in a product are identified and flagged.

Require transparency about the length of time for which the product will receive important security updates. Consumers should know if their product will be supported with security updates, and if so, what the minimum length of time is that they can expect that support to continue.

What products are in scope?

The PSTI Act applies to “relevant connectable products”. This is defined as

  1. products which are internet connectable, and are not an excepted product.
  2. Products which are network connectable, and are not an excepted product.

Defined as:

Internet-connectable products

A product that can connect to the internet. This means using a communication protocol to send and receive data over the internet.

Network-connectable products

A product that is:

  • capable of both sending and receiving data by means of a transmission involving electrical or electromagnetic energy,
  • is not an internet-connectable product, and
  • meets the first connectability condition or the second connectability conditions below:

First connectability condition - A product that can connect directly to an internet-connectable product by means of an internet communication protocol.

Second connectability condition - A product meets the second connectability condition if it is capable of:

  • connecting directly to two or more products at the same time by means of a communication protocol that does not form part of the Internet Protocol suite (ignoring wired connections), and
  • connecting directly to an internet-connectable product by a communication protocol that does not form part of the Internet Protocol suite (whether this is at the same time as it connects to any other product or not).

The only exceptions defined in the regulations are as follows:

  1. Charging points for electric vehicles to which the Electric Vehicles (Smart Charge Points) Regulations 2021 apply;
  2. Medical devices to which the Medical Devices Regulations 2002 apply;
  3. Smart meters installed under the Gas Act 1986 or Electricity Act 1989;
  4. Conventional IT exception: desktop or laptop computers (DSIT judged that Feedback received in that call for views (2021) suggested that the unique characteristics of PC and laptop supply chains necessitated further consideration.
  5. Tablet computers which do not have cellular network connectivity;

Some products for supply in Northern Ireland under free movement rules are also treated differently.

More detail on the Security Requirements

Security Requirement 1

This requirement applies only to products when not in the factory default state.

  1. Passwords must be:
    1. Unique per product; or
    2. Definable by the user of the product.
  2. Passwors which are unique to the product must not be:
    1. Based on incremental counters
    2. Based on or derived from publicly available information
    3. Based on or derived from unique product identifiers, such as serial numbers, subject to sub-paragraph 3; or
    4. Otherwise easily guessable.

(3) Sub-paragraph (2)(c) does not include passwords which are based on or derived from unique product identifiers, such as serial numbers, that are encrypted using an asymmetric key.

Definitions

Factory default state - the state of the product after factory reset or after final production or assembly

Asymmetric key - an encryption method that uses different cryptographic keys to encrypt and de-encrypt data

Passwords do not include:

  • Cryptographic keys - a string of data used to lock or unlock a cryptographic function (for instance, a string of characters
  • applied to information to encrypt it into, or de-encrypt it from another more secure format);
  • Personal identification numbers used for pairing in communication protocols which do not form part of the internet protocol suite; or
  • Application Programme Interface Keys - a string of characters used to identify and authenticate a particular user, product or application so that it can access the application programme interface

Security Requirement 2

The following information must be published:

  1. A minimum of one point of contact to allow a person (“P”) to report to the manufacturer security issues [relating to the scope as set out in the table on slide 10 for security requirement 2] for any of the manufacturer's relevant connectable products for which they have an obligation under section 8 of the 2022 Act (duty to comply with security requirements); and
  2. By when P can expect
    1. An acknowledgement of the receipt of a security issues report; and
    2. Status updates until the resolution of the reported security issues.

The information in sub-paragraph (1) must be accessible, clear and transparent, including making the information- (a) available without prior request for such information; (b) available in English; (c) available free of charge; and (d) available without any prior request for personal information.

Security Requirement 3

  1. Information on the defined support period must be published.
  2. The information in sub-paragraph (1) must be accessible, clear and transparent, including making the information:
    1. Available without prior request for such information;
    2. Available in English;
    3. Available free of charge;
    4. Available without any prior request for personal information; and
    5. Understandable by a reader without prior technical knowledge.

Indicative definitions

  • Defined support period - the minimum length of time, expressed either as a period of time or an end-date, for which security updates will be provided
  • Security update - a software update that addresses security issues which have been discovered by or reported to the manufacturer

Roles of different organisations

1. Manufacturer

A person/organisation who manufactures a product and markets it under their name or trademark; or a person/organisation who markets a product under their name or trademark that was manufactured by another.

2. Manufacturer's authorised representative

A person/organisation authorised by a non-UK established manufacturer to perform set duties in relation to compliance.

3. Importer

A person/organisation who imports a product into the UK and is not a manufacturer.

4. Distributor

A person/organisation who makes the product available in the UK but is not a manufacturer or importer.

Useful Documents

Product Security and Telecommunications Infrastructure Act 2022 (legislation.gov.uk)

PSTI Regulations 2023

New wider OPSS enforcement policy guidance

Regulators' code

ETSI EN 303 645 (SR1: 5.1-1, 5.1-2, SR2: 5.2-1, SR3: 5.3-12)

ETSI Technical Specification 103 645, ETSI Implementation Guide 103 621, ETSI Assessment Specification 103 701

Company: techUK

Visit website »