The UK has established mandatory cybersecurity measures and regulations for Internet of Things (IoT) devices, effective from 29 April 2024.(1)
The new regulation, termed the Product Security and Telecommunications Infrastructure (PSTI) Act, impacts enterprises dealing with consumer IoT products. It shifts the burden of security from consumers to manufacturers, mandating that cybersecurity measures are embedded in these products from the start. In 2021, an investigation conducted by the Which? consumer group discovered that a UK home filled with smart devices could be vulnerable to over 12,000 hacking attempts every week. (2)
The PSTI Act introduces stringent safety standards for connected devices, covering a wide array of consumer connectable products including, but not limited to, connected safety-relevant devices like door locks and home automation systems. According to the Department for Science, Innovation, and Technology, over half of UK households now own a smart TV, and more than half own a voice assistant, along with an average of nine other smart devices. The objective of these regulations is to bolster the security and safety of IoT devices, addressing increasing cybersecurity concerns in the digital era.
The legislation zeroes in on three key compliance areas crucial to the fire and security market:
Clear Support Duration Information at Sale Point
Manufacturers are required to clearly disclose how long they will provide updates and support for their products at the point of sale. This ensures consumers are well-informed about the support lifespan for their devices.
Unique Initial Passwords
Vulnerability Reporting Mechanisms
This recently implemented legislation codifies cybersecurity practices that were previously voluntary within the UK, and the UK's approach is now closely aligned with the EU's Cyber Resilience Act.
What are some major concerns?
The law only requires devices to meet three out of thirteen standards from the European Telecommunications Standards Institute, and it only applies to new devices and does not address the millions of smart devices already in service.
It also does not apply retrospectively to the millions of inadequately protected smart devices already in service, which we expect to only be replaced in the next years, particularly for bigger appliances such as Smart TVs and fridges.
Who will the PSTI Bill apply to?
The PSTI Act applies to the entire IoT industry, including manufacturers, importers, and distributors of foreign-manufactured devices, where the products are intended to be UK consumer connectable products.
Specifically, Section 7 of the PSTI Act identifies the following persons the PSTI Act would apply to:
(a) A manufacturer: This is a person who either produces the product, has it designed or manufactured by others, and then sells it under their own name or brand.
(b) An importer: This refers to a person who brings the product into the United Kingdom from another country and does not manufacture the product themselves.
(c) A distributor: This is a person who distributes the product within the United Kingdom but does not manufacture or import the product.
Section 8 of the PSTI Act outlines the circumstances under which a manufacturer must comply with the Act, specifically if either of the following conditions is met:
Condition A: The manufacturer either intends the product to be used as a UK consumer connectable product, or should be aware that the product will be used as such.
Condition B: The product is a UK consumer connectable product, and at the time it was made available by the manufacturer, Condition A was already applicable to the product.
For further details on what constitutes a "UK consumer connectable product," refer to section 54 of the Act.
Sections 14 and Section 21 of the PSTI similarly impose conditions on importers and distributors, respectively, mirroring those set for manufacturers. This ensures that all parties involved in the supply chain of connectable products to UK consumers are held to consistent regulatory standards.
What does this mean for manufacturers?
The standards imposed through the PSTI Act will likely impact manufacturers and IoT companies immediately, and manufacturers will be forced to make and invest time for application security and more quality assessment in production.
How would this affect manufacturers in Malaysia?
While these new cybersecurity measures are specific to the UK, they hold significant implications for the Malaysian market, especially for companies that export IoT products to the UK or those that maintain business ties with European markets (where the EU Cyber Resilience Act applies). Malaysian manufacturers of IoT devices must ensure compliance with these international standards to maintain market access and avoid potential legal and financial repercussions.
Internationally, the International Organization for Standards (ISO) has issued five standards addressing all aspects of cybersecurity, incorporating IoT within these broad standards, such as ISO/IEC 27001 for information security management, ISO/IEC 27032 for cybersecurity, and ISO/IEC 27035 for incident management, and ISO 22301 for business continuity management, among others.