In this exclusive article, Secured by Design (SBD) National Manager and Secure Connected Devices accreditation lead, Michelle Kradolfer shares some important advice about the UK’s consumer connectable product security regime which comes into force this month.
The Product Security and Telecommunications Infrastructure Act was introduced as legislation in 2022.
In April 2023, the government announced a one-year deadline for manufacturers, distributors, and importers to comply.
With the 29 April deadline upon us, SBD’s Michelle Kradolfer is keen to underline the vital importance of the Act and what non-compliance means for the industry beyond the penalties imposed.
The Product Security and Telecommunications Infrastructure (PSTI) Act applies to all IoT consumer products and requires manufacturers, importers and distributors to ensure that they and their products meet the relevant minimum-security requirements.
It also ensures that its regulatory framework can adapt and remain effective in case there are any changes within the technology or to the techniques that threat actors use to exploit these devices.
Providing some context for this, Michelle says, “The PSTI Act has been influenced by the EN 303 645 standard.
“This is a European standard that outlines 13 basic requirements that any IoT consumer product should have and gives a blueprint for manufacturers to know how to build that IoT product as safely as possible.
“The government has implemented the first three of those 13 provisions within the PSTI Act for now, to address the IoT issues and risks that we have been facing in the UK as well.”
The security requirements are actions that relevant businesses in the supply chain must take, or requirements that a product must meet, to address a security problem or eliminate a potential security vulnerability.
The obligations relate to the provision of passwords, information on how to report security issues and information on minimum security update periods.
In response to the impending legislation, Secured by Design launched the Secure Connected Device accreditation scheme in 2022 in collaboration with the Department for Science, Innovation and Technology (DSIT).
“Companies can turn to us for assessing their products against the full EN 303 645 standard’s 13 provisions, a requirement that goes beyond the Government’s legislation so that companies can not only demonstrate their compliance with the legislation but help protect themselves, their products and customers,” says Michelle.
“We evaluate their products, suggest certification routes, and help them meet the Act’s requirements.
“Once certified by an SBD approved certifying body, companies can seek our prestigious SBD accreditation.
“The robust standards of certification exceed government legislation and our annual appraisal ensures compliance with evolving government requirements and cyberthreats.”
Prior to becoming National Manager in 2023, Michelle worked closely with the SBD team to ensure that all of SBD member companies who had IoT connected products were aware of the requirements of the new legislation and working towards compliance with it.
Put simply, the PSTI “applies to any product that can connect to the internet or a network that has the capability of communicating, transferring and transmitting data either from one physical device to another, or to a system or app,” says Michelle.
“This can be speakers, TVs, fitness trackers, baby monitors, smart coffee machines –anything the consumer can buy that connects to the Internet or to a network. There are a list of products that that the PSTI Act outlines, but it’s not it’s not a fixed list.”
The use of connected devices in UK households has increased significantly since the pandemic.
This is of particular concern for businesses that operate with a hybrid workforce as there are more devices at the edge which might be vulnerable to attack.
“If you’re looking at what you have at home, or what you have in your workplaces you start counting very quickly how many IoT products you really have,” says Michelle.
“There are currently about 35 billion internet connected products in UK and the NCSC is predicting that to almost double by next year.
“The problem is a lot of these products are not built with security in mind.
“When we first launched this initiative, I think we found only one in five manufacturers met basic security requirements, which obviously leads to high number of IoT attacks happening towards these products.”
There have been many incidences of IoT products being used as a weapon or a conduit to get personal information and even beyond that, says Michelle.
“When people think about crimes against IoT products, they mostly focus on the financial personal information being leaked.
“Unfortunately, a lot of these devices are used for other nefarious purposes – burglary, theft, blackmailing and victim harassment, stalking.
“That’s why we have a PSTI Act: to start addressing the vulnerabilities of these products and the danger they present to the consumer putting them into their homes and workplaces.”
Michelle highlights a few examples, starting with the UK.
In 2018 a man was jailed for IoT related harassment of his ex-spouse. “He was harassing her over a wall mounted tablet in her home. He was able to harass her like this because the tablet was connected to a network that he could access.”
Just across the pond, a North American casino was attacked via its fish tank.
Michelle tells the story: “the casino has a fish tank in the lobby and there is smart thermometer in the fish tank that controls the heating and the feeding schedule of the sea life in there.
“Attackers found a vulnerability in the thermometer and hacked into it. But they didn’t stop there.
“The thermometer was connected to the casino’s Wi Fi, so the hackers were able to jump into the Wi Fi and from there, into the database of the casino where the personal and financial information of all its high rollers was stored and steal that information too.
“This is just the best example, I think, of how something so small that you would never think could be an issue or could be a risk, is an entryway for hackers.
“On a larger scale and a bit more concerning if you’re thinking about the smart cities, is the example of a residential building in Finland that had a cyber- attack on its smart heating and water system.
“The hackers managed to shut the system down for a whole week, so they had no hot water and no heating. And Finland, in winter, it is very cold.”
A city that is entirely smart uses all the same kind of systems, says Michelle. All it takes is for one weak link in the wider eco-system, one “window in the house to be left open”, for a hacker to get in and “gain access to all the other rooms in the house”.
“If you are implementing these IoT devices on a larger scale to make a city smart you want to make sure the products you are putting into that ecosystem are safe, because otherwise hackers can target a lot of these products at the same time and shut down an entire grid.
“That’s the different types of IoT attacks that can happen and have happened.”
The government has been “very, very clear” there will be severe penalties for companies that are not compliant by the 29 April deadline, says Michelle.
“The law contains an enforcement regime with civil and criminal sanctions aimed at preventing insecure products being made available on the UK market within it.
“This enforcement regime enables the government to take a range of actions against companies that are not compliant with the law by 29th April 2024, including enforcement notices; compliance notices; stop notices; recall notices; huge financial penalties and forfeiture of stock which is in the possession or control of any manufacturer, importer or distributor of the products, or an authorised representative.”
The monetary penalties are in line with the GDPR fines -10 million pounds or 4% of the company’s annual global turnover, whichever is higher. “This sends a strong message because we must take IoT security seriously and companies must ensure that what they are putting out there is safe for people to use.
“I would urge companies that haven’t heard of the PSTI Act (many still haven’t), or haven’t thought about it yet, or are unsure as to whether they are included in its scope, to put those basic security requirements in place.
“There are only three of them and they should have been inputted from the outset if I’m being honest.”
SBD has been trying to raise awareness around the Act, not just with its member companies, but basically anyone in any industry that it comes in touch with, because as Michelle says, “it’s important for them to be aware of this.”
This article was originally published in the April Edition of Security Journal United Kingdom. To read your FREE digital edition, click here.