Cade Wells, Business Development Director at CENSIS and our head of cyber security activities, discusses the new Product Security and Telecommunications Infrastructure (PTSI) Act which comes into effect next week.
This article was first covered in Digit on 22 April 2024.
At the tail-end of last year, while many of us were celebrating the festive season and exchanging gifts like smart speakers and fitness watches, the UK Government passed a new law that will significantly impact the security requirements of these ‘smart’ devices.
Both the UK and EU have long recognised the exploitable vulnerabilities of IoT devices aimed at consumers – ranging from doorbells and home security systems to toys and baby monitors.
Countless examples can be found of seemingly ‘smart’ devices laid open to attack after being configured with default passwords such as ‘admin’ or ‘12345’. Many will be familiar with stories such as ‘My Friend Cayla’, the children’s doll banned by several countries and later withdrawn completely after it was shown how easy it was to hack.
Figures from a report by the Internet of Things Security Foundation show that four in five manufacturers do not include any security guidelines within the manual of their internet-connectable products.
Aiming to address issues like these, the Product Security and Telecommunications Infrastructure Act is set to come into full force on 29th April, affecting manufacturers, importers, and distributors of most IoT consumer products that are being sold in the UK.
From speaking to various companies, including as part of our IoT Secure service, it is clear there is a real lack of awareness around the new legislation – and this could result in products inadvertently being brought to market illegally.
From 29 April 2024 onward, all applicable devices will be legally required to adhere to the following set of standards:
- Default or easy-to-guess passwords are banned.
- Manufacturers must publish the minimum time period for which a device will receive security updates. If this period is extended, the new time must be communicated immediately.
- Products must have a ‘vulnerability disclosure policy’ which includes a point-of-contact for reporting security issues.
The overall goal of the legislation is to ensure that consumer connectable devices are more secure and resilient against cyber-attacks. It will also work to create an enforcement regime that prevents cyber-insecure products from being sold in the UK.
Products already covered by existing legislation will be exempt, such as medical devices, smart meters, charge points for electric vehicles, and computer products like desktops, laptops, and tablets.
Before the regulations take effect later this month, it is essential for product designers and manufacturers to take action to ensure they are fully compliant – and the same rules apply to products’ associated services, including applications and cloud service providers.
Additionally, companies will have to provide consumers with a declaration of compliance, either in the form of a paper certificate or digital equivalent, to demonstrate conformity. This includes businesses operating in Europe that intend to import or distribute their products to the UK.
Failure to abide by the regulations could lead to civil and criminal charges and, in the most serious incidences, a penalty of £10 million or 4% of the company’s global revenue – whichever is greater. The Government will also rely on consumers to report any products that do not conform to the set of standards or contain a declaration of compliance.
To avoid the risk of sanction, any businesses potentially affected should speak with an expert to confirm whether their products fall within the new legislation or are exempt. There are various organisations that can offer advice on how to modify or redesign a device that fails to meet the legal requirements, including CENSIS, IASME or British Standards Institution (BSI).
As technology rapidly evolves and more devices come with connectivity as standard, it is likely that we will see further regulatory changes in the future. Although the legislation largely fell under the radar during the festive break, it is about to become reality, and many businesses will have to act fast to ensure they are well-equipped for the impending changes.