The Product Security and Telecommunications Infrastructure (PSTI) Act is a pivotal cybersecurity legislation enacted in the United Kingdom, which came into force on April 29th, 2024. This legislation introduces specific cybersecurity requirements aimed at manufacturers of connected products.
The term 'connected products,' refers to devices that can communicate over the internet, either directly or through other devices. Certain types of devices are excepted from the act, namely EV charging points, medical devices, smart meter products, and computers.
Under the PSTI Act, manufacturers seeking to distribute their products in the UK are obligated to comply with the outlined cybersecurity requirements. The law applies to every product that can be bought from April 29th, which includes products on the shelves but also in warehouses.
The PSTI Requirements
The PSTI Act consists of three core requirements aimed at providing a minimum level of security.
No default passwords
Passwords can be predefined only if unique per device and generated with mechanisms that prevent the password to be easily guessable. Alternatively, passwords can be directly set up by the users.
Vulnerability disclosure process
Researchers or customers may discover undisclosed vulnerabilities within products. To promptly address these security issues, manufacturers must establish a communication channel to receive security reports from third parties. This involves setting up a point of contact and publishing clear instructions for reporters to contact the manufacturer.Â
Support period
The minimum duration for which security updates will be provided to the product should be defined and published in a clear way. This means that the product should be continuously monitored for security issues throughout the entire duration of the defined support period. A solid process for monitoring and managing vulnerabilities is the key to guarantee timely security updates and involves compiling an SBOM (Software Bill of Materials) of the product.
Alongside the three requirements, manufacturers are required to declare which products are compliant with the PSTI Act through a Statement of Compliance (SoC).
Failure to meet the PSTI requirements may lead to monetary penalties, which can reach up to either a £10 million fine or 4% of the worldwide revenue, whichever is higher.
Standards and regulations related to PSTI
The three PSTI requirements are heavily inspired by the first three provisions of ETSI EN 303 645, which is considered the de facto European cybersecurity standard for consumer IoT devices. It is becoming increasingly clear how the ETSI standard is gaining importance. We can expect that the incorporation of the initial ETSI requirements into the PSTI Act signifies just the beginning, with more aspects of ETSI likely to be enacted into law over time.
Another important point in favour of this thesis is the Radio Equipment Directive (RED), a regulatory framework which is planning to adopt ETSI-like cybersecurity requirements. Learn more about RED in our previous blog post.
How Security Pattern can supportÂ
We offer various consultancy services and training modules to support your organisation with cybersecurity challenges.
SBOM and Vulnerability Management Our SBOM and Vulnerability Management platform ARIANNA has been designed to support you managing and addressing security vulnerabilities efficiently. Discover more about the ARIANNA platform page or book a demoÂ
Compliance GAP analysis During a Compliance Gap Analysis we support you in comparing your organisation’s procedures and controls with an existing standard.
Cybersecurity Training Our training modules have been designed to introduce your team to the cybersecurity domain or carry professionals to the next level.Â
Available Materials
Security Pattern’s cybersecurity experts have been supporting Device Manufacturers since 2017.
Comentários