Regulatory Reflections: The United Kingdom’s PSTI Act

Date Published: August, 20, 2024

Within the United Kingdom (UK), there are approximately nine connected devices in every household, and this number is only going to grow. For example, by the end of 2024 the government expects there to be 61 million smartphone users within the country. These figures indicate the growing reliance on IoT devices from UK citizens.

However, a report from April 2024 found that 50% of UK citizens neglect basic security measures when it comes to their phones. This should be a cause of concern: smart phones are one of the more ‘obvious’ devices one should be looking to protect, and now that hackers have the ability to attack more obscure device types, such as washing machines, freezers, and even vacuum cleaners, it paints a worrying picture regarding the nation’s cyber hygiene.

Over the past few years, there have been steps taken to remedy the situation. Initially built on the back of the previous IoT Code of Practice launched in 2018, before receiving Royal Assent in 2022, the Product Security and Telecommunications Infrastructure (PSTI) Act finally came into effect on April 29, 2024. With smart devices so integral to its citizens daily lives, the government hope the Act will ensure greater device security through the implementation of basic security measures.

Overcoming current concerns
Presently, the UK has a password problem. In 2023, over 4.5 million people were still using the word ‘password’ to protect their devices, making it the most popular password in the country. In second and third? ‘123456’ and ‘123456789’. The PSTI Act wants to change the status quo here, essentially forbidding consumer devices from accepting default, insecure passwords.  Organisations must now provide clear transparency regarding deployment of security updates and how to report device vulnerabilities, strengthening network security.

The legislation also wants to ensure manufacturers publish easily-accessible contact information on materials so users can report device-related bugs and issues. In 2021, Resolver, an online customer service tool used in the UK, dealt with over 550,000 complaints, with more than half relating to customers being unable to call, contact or email a business about an issue. When it comes to device security, manufacturers and retailers cannot simply ignore their customers, and this Act will ensure this. The same businesses must also be truthful regarding the time it will take for said devices to receive security updates and patches.

Protecting everything bar the kitchen sink
The official wording of the PSTI Act advises these regulations relate to “relevant connected products”, which includes “internet-connectable products” (a device which can connect to the internet) and “network-connectable products” (a device capable of sending and receiving data through electrical or electromagnetic energy which cannot be connected to the internet). Any company that fails to comply with both security and telecommunications requirements are subject to thorough investigation and audits. If deemed a serious breach of the stipulations, authorities reserve the right to restrict access of the product to UK markets alongside financial penalties.

For those wanting greater clarity, the National Cyber Security Centre (NCSC) has already outlined several smart device types that fit within these criteria. Similar to the U.S Cyber Trust Mark, it covers a range of consumer devices including phones, tablets, televisions, doorbells, fitness trackers, and smart watches. It even includes smart domestic appliances, such as connected light bulbs, washing machines and refrigerators.

In January 2024, a washing machine owner found his appliance was uploading an average of 3.66GB of data daily, making up approximately 5% of his entire internet traffic. These devices typically use less than 1MB per day, and while the reason has never been discovered, many believe it was being used for nefarious purposes. If a hacker can gain control, washing machines can be quickly grouped in with other low-power devices to become part of a larger ‘botnet’, and be used for activities such as cryptomining – which uses a lot of electricity. It’s these innovative new attacks that the PSTI Act aims to stop.

Using standards and specifications
The PSTI is a fantastic first step towards enhanced device security within the UK, but that’s where it’s remit ends. For device protection beyond the country’s borders, there are internationally regarded standards and specifications one can use, including those from the Trusted Computing Group.

The cornerstone of device security must be trust. Manufacturers and retailers must be able to assure the end user that their device will not be compromised and that it is working exactly how it was sold as. By providing the means to verify and attest the quality and health of both the hardware and software, the integrity of a device can be assessed. This makes hardware Roots-of-Trust such as TPM, DICE, and CyRes essential, as they implement the fundamental building blocks for cybersecurity in IoT and consumer devices.

Join

Membership in the Trusted Computing Group is your key to participating with fellow industry stakeholders in the quest to develop and promote trusted computing technologies.

Join Now

Trusted Computing

Standards-based Trusted Computing technologies developed by TCG members now are deployed in enterprise systems, storage systems, networks, embedded systems, and mobile devices and can help secure cloud computing and virtualized systems.

Read more

Specifications

Trusted Computing Group announced that its TPM 2.0 (Trusted Platform Module) Library Specification was approved as a formal international standard under ISO/IEC (the International Organization for Standardization and the International Electrotechnical Commission). TCG has 90+ specifications and guidance documents to help build a trusted computing environment.

Read More