The coming into force of the PSTI Act in the UK, scheduled for April 29, 2024, is poised to reshape the landscape of IoT device security. This pivotal moment demands a comprehensive understanding of the regulatory framework, necessitating a closer examination of the PSTI Act alongside the ETSI EN 303 645 standard, identifying the relationship between them.
The full Scope of the PSTI “Act” for IoT Security
The PSTI Act, ratified on September 14, 2023, establishes a legal [1] framework mandating strict security measures for IoT products sold in the UK. This legislation encompasses a wide array of devices, from smartphones and smart home gadgets to Bluetooth-enabled peripherals. By setting legal obligations for manufacturers, importers, and distributors, the PSTI “Act” underscores the UK government's commitment to elevating IoT security baselines, thereby enhancing consumer trust and safety in this increasingly interconnected world.
ETSI EN 303 645: A Global Benchmark for IoT Security
Unlike the PSTI which is an act of the UK parliament, ETSI EN 303 645 is a standard. However over the years, it (ETSI EN 303 645) has emerged as a global benchmark for securing consumer IoT devices.
Despite being voluntary, this standard outlines best practices for enhancing device resilience against cybersecurity threats. Its flexibility and global recognition makes it valuable for manufacturers looking to showcase their dedication to security, regardless of regulatory requirements.
Harmonizing Legal Requirements with Industry Standards
The convergence of the PSTI Act and ETSI EN 303 645 reveals a nuanced interplay between legal obligations and industry benchmarks. Notably, the concept of "Deemed Compliance[2]" under the PSTI Act facilitates a convergence of regulations and standards towards the same security goals. Compliance with specific provisions of ETSI EN 303 645 (namely 5.1-1, 5.1-2, 5.2-1, 5.3-13) can satisfy the PSTI Act's security prerequisites, thereby streamlining compliance efforts for manufacturers and reinforcing the global relevance of ETSI standards in setting security benchmarks.
Technical Compliance and Security Measures
To achieve compliance to PSTI, IoT products must adhere to strict security requirements as detailed in “the regulation documentation” [3] . Adhering to these security requirements can be attained in 2 possible ways: meeting the Act's three security requirements [ Schedule 1: Security requirements for manufacturers][4] or meeting the conditions for a Deemed Compliance with Security the Requirements [ Schedule 2: Conditions for Deemed Compliance with Security Requirements] [5]. The latter entails fulfilling four provisions outlined in ETSI EN 303 645.
Under the “Deemed Compliance” requirements, an IoT Product should comply with the following provisions of ETSI EN 303 645:
- Provision 5.1-1 and Provision 5.1-2 focus on password generation mechanisms, ensuring that passwords are unique per device or user-defined. Additionally, if pre-installed unique passwords are used, they must be generated with a mechanism that reduces the risk of automated attacks against a specific class or type of device.
- Provision 5.2-1 mandates that manufacturers make a vulnerability disclosure policy publicly available. This policy should include contact information for reporting issues and information on timelines for acknowledging receipt and providing status updates until issues are resolved.
- Provision 5.3-13 requires manufacturers to publish the defined support period in a clear and transparent manner accessible to users. Consumers expect clarity regarding the software update support period when purchasing a product.
These measures are crucial steps in enhancing IoT security, aligning with both legal obligations and industry standards. By implementing these technical compliance measures, manufacturers can demonstrate their commitment to cybersecurity and meet the PSTI requirements.
Navigating the Future of IoT Security
The simultaneous implementation of the PSTI and adherence to ETSI standards heralds a new era of IoT security. By aligning with this regulation and standard, manufacturers will not only meet legal obligations but also bolster consumer confidence in the safety and integrity of IoT devices.
For stakeholders seeking to navigate these regulatory waters, the opportunity to engage with experts and explore compliance solutions is invaluable. Booking a demo or consultation can provide tailored insights and strategies to meet these evolving standards, ensuring that IoT products not only comply with current regulations but are also poised to adapt to future cybersecurity challenges.
Footnotes
[1] The PSTI Act was ratified on September 14, 2023 by the parliament in the UK to be a law.
[2] "Deemed compliance" refers to meeting regulatory requirements by default or assumption without the need for explicit verification or action.
[3] Legislation.gov.uk. "The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023." Accessed April 26, 2024. https://www.legislation.gov.uk/uksi/2023/1007/contents/made
[4] Legislation.gov.uk. “Schedule 1 : Security requirements for manufacturers” Accessed April 26, 2024. https://www.legislation.gov.uk/uksi/2023/1007/schedule/1/made
[5] Legislation.gov.uk. “Schedule 2: Conditions for Deemed Compliance with Security Requirements” Accessed April 26, 2024. https://www.legislation.gov.uk/uksi/2023/1007/schedule/2/made
References
- legislation.gov.uk (2023). The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023. www.legislation.gov.uk/uksi/2023/1007/contents/made
- ETSI (2020). ETSI EN 303 645 : Cyber Security for Consumer Internet of Things: Baseline Requirements. www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf