IoT Regulation: Is the PSTI Act the Best Way to Ensure Compliance?
Does the IoT regulation take too heavy-handed an approach?
The IoT has proven to be the wild west of security, but will the new sheriff in town – the PSTI Act – put an end to all that? We look at whether it goes far enough or if there’s a better way, says David Adams, security consultant at Prism Infosec.
Regulation of the Internet of Things is seen by many as long overdue. Despite a wealth of best practice advice, such as the IoTSF Security Compliance Framework and the Secure by Design Code of Conduct published by the Department for Digital, Culture, Media, and Sport (DCMS), the industry needed to self-regulate. Consequently, we’ve endured years of smart devices susceptible to data theft and man-in-the-middle attacks that could even be used to launch denial of service (DDoS) attacks collectively.
The Product Security and Telecommunications Infrastructure Act (PSTI), brought in on 6 December last year in the UK is a regulation that aims to change all that. Part 1, which addresses product security, aims to make connectable products more secure against attacks and protect privacy, while Part 2 addresses telecommunications infrastructure to help ensure that new broadband and 5G networks can be rolled out smoothly
A Broad Scope
The Act itself is far broader in scope than many expected. Applicable to manufacturers, their authorized representatives, importers, and distributors, it’s likely to ensnare online and bricks and mortar retailers, for instance. Requirements will include the need to comply with the security requirements, provide a statement of compliance, and investigate, act on, and record any compliance failures. If you’re a distributor or importer, suspend supply in the event of non-compliance.
While the security requirements have yet to be issued, the broad expectation is that these will hold to the three rules proposed under the original Bill. This would see a ban on the use of default passwords or factory settings, a requirement for a vulnerability disclosure process to enable issues to be reported, and an open commitment at the point of sale over whether after-sales support (i.e., updates, etc.) will be provided and if so for how long.
Theoretically, manufacturers and the third parties listed above could be fined a maximum of £10 million or 4 percent of the company’s global turnover (plus £20k maximum daily fines) if they fail to meet these requirements. Moreover, company directors are also deemed accountable and can be held liable. A regulator has yet to be appointed but will also have the power to issue notices to comply within a given timeframe (after which the penalties will apply), stop notices, and recall notices. However, those affected still have some time to comply, with the grace period effectively giving them a year, i.e., until 6 December 2023.
See More: Cybersecurity Trends To Make Your Employees More Secure
Is this a Watered-down Approach?
The Act’s broad scope and the fines’ scale, which rival those of GDPR, means it may seem onerous to some. But the reality is that the PSTI has significantly watered down the recommendations in the Code of Conduct, and it has only embraced three out of the 13 requirements contained in ETSI’s EN303 645, the first globally-applicable industry standard for internet-connected consumer devices, which was brought in during 2020. It seems redundant as many manufacturers have already implemented those three recommendations under the IASME IoT Security Assured Scheme.
The assurance scheme effectively provides a manufacturer with a label that can be displayed on the device to prove that a certain level of security has been met. It features two levels mapped to EN 303 645, the PSTI and the IoTSF Security Compliance Framework. The Baseline level covers the three security controls mandated by the PSTI, while the Cyber Assurance level mirrors UK law and the ETSI mandatory requirements and data protection provisions.
Manufacturers looking to use the kitemark must complete a self-assessment covering eight different areas about the company, the device or service, passwords and credentials, vulnerabilities and anomalies, software, secure configuration, communications, and data usage covering the 13 cyber security provisions for consumer IoT. A board member must attest that these are correct before submitting to the IASME portal, at which point an independently appointed assessor reviews the application. The Cyber Assurance level also includes an audit via third-party testing and independent certification.
See More: Cybersecurity in the TIme of Remote Threats
Is Assurance the Answer?
Interestingly, the PSTI fought shy of mandating product assurance when this would have been the ideal way to help manufacturers comply. What’s more, the IASME assurance standard has gone far beyond the requirements we expect to see in the Bill, effectively futureproofing those businesses that opt for the Cyber Assurance level against any increase in the requirements. Encouragingly, it’s also received widespread uptake from large and small manufacturers who can meet the low price point of the assessment and value the assistance the auditor offers. And to date, all those that have applied have gone for the higher level.
It’s concerning, however, that the PSTI is conveying mixed messages. It’s light on the initial security requirements yet carries the threat of hefty fines. It has yet to stipulate the requirements or appoint a regulator officially. And it’s not clear how or if the PSTI will align with the EU’s Cyber Resilience Act (CRA). That last point poses a real dilemma for those seeking to achieve harmonization to supply products cost-effectively to both markets.
The PSTI doesn’t want to create obstacles that would dissuade manufacturers from marketing in the UK. So, what could happen is that we see PSTI extended to incorporate additional security measures from the ETSI standard in the future. This will see it effectively follow in the wake of CRA. While this will mean change will be gradual and plays to the crowd, it could also leave the UK playing catch-up while the EU trailblazes the standard for the truly secure smart home or office.
What we need to do today is provide manufacturers with the guidance they need and to help them get ahead of the curve without the threat of fines – and that’s why more needs to be done to publicize the IoT secured scheme. The IoT is a nascent industry, and yes, it has been slow to self-regulate, but for many vendors, cybersecurity is not their mainstay. The assurance scheme provides that missing part of the puzzle, guiding them through what they must do to comply, differentiate and win back customer confidence.
Why do you think the PSTI Act is the best way to ensure compliance? Let us know on Facebook, Twitter, and LinkedIn.
Image Source: Shutterstock
MORE ON IoT
