Each year, the number of software-defined devices we rely on to keep our society functioning seems to grow exponentially. Infrastructure, transportation, and even the food we produce rely on internet-connected machinery, which, by default, is at risk of a cyber-attack.
The UK’s Product Security and Telecommunications Infrastructure (PSTI) legislation and the European Union’s Radio Equipment Directive (RED) are two significant regulatory frameworks to enhance product security. This article will delve into the PSTI, its applicability, stages, similarities, and how product security practitioners can maintain PSTI compliance and security.
What is PSTI?
Product Security and Telecommunications Infrastructure (PSTI) legislation is a UK regulatory framework to enhance the security of consumer internet-connected devices. The PSTI sets out minimum security standards that manufacturers must adhere to, ensuring that devices are protected against cyber threats and vulnerabilities.
“Manufacturers will be legally required to protect consumers from hackers and cyber criminals from accessing devices with internet or network connectivity – from smartphones to games consoles and connected fridges – as the UK becomes the first country in the world to introduce these laws,” said the official UK announcement from April 2024 on the implementation of PTSI. It continues, “The laws are coming into force as part of the Product Security and Telecommunications Infrastructure (PSTI) regime, which has been designed to improve the UK’s resilience from cyber-attacks and ensure malign interference does not impact the wider UK and global economy.”
Who Does PSTI Apply To?
During the first stage of PSTI’s rollout, manufacturers, importers, and distributors of consumer connectable products in the UK are responsible for working with suppliers to ensure best security practices that meet the new minimums.
This includes a wide range of internet-connected devices such as factory machinery, infrastructure facilities, and other connected products. The legislation mandates that these entities ensure their products meet specific security requirements before being marketed and sold in the UK.
PSTI exempt products
Certain products are exempt from the PSTI regulations under Schedule 3, Regulation 6. These include:
- Products for Northern Ireland- Products subject to relevant legislation listed in Annex 2 to the Windsor Framework and made available for supply in Northern Ireland.
- Charge Points for Electric Vehicles– Charge points are regulated under the Electric Vehicles (Smart Charge Points) Regulations 2021.
- Medical Devices– Products regulated under the Medical Devices Regulations 2002, except those with software that makes them connectable.
- Smart Meter Products– Products supplied or installed by licensed holders under the Gas Act 1986 or the Electricity Act 1989, which have been assured under an assurance scheme.
- Computers– Desktop computers, laptops, and tablet computers without cellular connectivity unless designed exclusively for children under 14.
Stages of PSTI
The PSTI framework involves several key stages:
- Implementation– Manufacturers must incorporate security features into their products, such as banning default passwords and ensuring each device has a unique password.
- Compliance- Manufacturers must publish clear information about how long security updates will be provided for each product.
- Vulnerability Reporting– A mechanism for reporting and addressing security vulnerabilities must be established.
- Regulatory Review– Periodic reviews by the Secretary of State to ensure ongoing compliance and effectiveness of the regulations.
Understanding the challenge of weak default passwords, the UK points out, “the new measures will also introduce a series of improved security protections to tackle the threat of cyber-crime: Common or easily guessable passwords like ‘admin’ or ‘12345’ will be banned to prevent vulnerabilities and hacking”.
For ongoing security throughout the full product lifecycle, “manufacturers will have to publish contact details so bugs and issues can be reported and dealt with.”
Implementation of PSTI
The implementation of PSTI involves several critical steps for manufacturers:
- Design and Development- Integrating security features into the design and development process of products.
- Security Updates– Ensuring that security updates are provided for a defined support period and communicated to consumers.
- Transparency– Providing straightforward and accessible information about security measures and how consumers can report vulnerabilities.
- Regulatory Compliance– Adhering to the specific requirements set out in the PSTI, including maintaining records and compliance statements.
What’s expected in PSTI’s statement of compliance
To comply with the PSTI regulations, manufacturers must prepare a statement of compliance that includes the following information:
- Product Information– The type and batch of the product.
- Manufacturer Details– The name and address of each manufacturer of the product and, if applicable, their authorized representatives.
- Compliance Declaration– A statement from the manufacturer declaring that they have prepared the compliance document and that the product meets the necessary security requirements.
- Security Compliance– Confirmation that the product complies with either:
- The security requirements listed in Schedule 1, or
- The deemed compliance conditions in Schedule 2.
- Support Period– Information about how long the manufacturer will provide security updates for the product.
- Signatory Details– The signature, name, and role of the person who signed the compliance statement, along with the date and place of issue.
This statement of compliance ensures transparency and accountability, making it easier for regulators and consumers to understand the security measures in place for each product.
Leveraging a Unified Product Security Platform
For product security practitioners, maintaining compliance with PSTI and ensuring device security can be streamlined by using a unified product security platform. Such a platform can provide comprehensive tools for:
- SBOM (Software Bill of Materials) & Asset Management– Keeping track of all software components in use, ensuring they are up-to-date and secure.
- Assurance & Vulnerability Management– Identifying, assessing, and mitigating vulnerabilities in real-time.
- Compliance & Evidence Management– Ensuring all regulatory requirements are met and maintained with automated tracking and reporting features.
By integrating these functions into a single platform, practitioners can efficiently manage the security and compliance of their devices, reducing the risk of cyber threats and ensuring adherence to both PSTI and RED regulations.
Complying at scale with fewer resources
The UK’s PSTI represents significant strides in enhancing the security of consumer products. One of the highlights of the UK’s PSTI is its mandate that all internet-connected devices must have unique passwords, banning easily guessable default passwords like ‘admin’ or ‘12345’. This requirement aims to mitigate common vulnerabilities exploited by cybercriminals.
PSTI’s goal is to improve product security and protect consumers from cyber threats. They require manufacturers to implement security measures and provide clear information on security updates and vulnerability reporting mechanisms.
Maturing product security practices and bringing them into a single platform, such as the Product Security Platform, can revolutionize how teams approach compliance across various regions. By centralizing functions such as SBOM management, vulnerability management, and compliance management, organizations can streamline their processes, ensuring that products meet regulatory standards efficiently and effectively.
This approach not only reduces the resources required for compliance but also enhances the overall security posture of the organization. With a unified platform, teams can respond quickly to emerging threats, maintain up-to-date security measures, and provide transparent information to consumers, thereby building trust and fostering a safer digital environment.