Draft security requirements for IoT products covered by PSTI Act published

The UK government has published the draft Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 which provide the detail for relevant connectable product security compliance by manufacturers under the Product Security and Telecommunications Infrastructure Act.

What's the issue?

The Product Security and Telecommunications Infrastructure Act 2022 (PSTIA) was finalised in December 2022.  Part 1 of the PSTIA deals with security of consumer connectable products (read more here) and is set to come into force on 29 April 2024. While the obligations are set out in the PSTIA itself, much of the detail on what security measures will be required was left to be set out in secondary legislation, leaving manufacturers, importers and distributors of relevant IoT products, all of whom have security obligations under the PSTIA uncertain as to the nature of their obligations.

What's the development?

The government has published the draft Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 (Regulations). They set out in more detail what exactly is required for manufacturers (but not importers or distributors) to comply with the security requirements of the PSTIA in relation to relevant connectable consumer products.  The Regulations are based on the UK's Code of Practice for Consumer IoT security, ETSI EN 303 645, and advice from the National Cyber Security Centre.  They are being adopted under the Affirmative Procedure so must be approved by both Houses of Parliament, and are also intended to come into force at the end of April 2024.

The Regulations cover:

Requirements for default passwords

The password requirements apply to:

• hardware of any in-scope product when that product is not in the factory default state
• software which is re-installed at point of supply to customer when the product is not in the factory default state
• software which is not pre-installed at the point of supply to a customer but which must be installed to enable all intended use of the product including of hardware or pre-installed software, or software which is installable.

Passwords must either be defined by the product user or must be unique per product.  To qualify as unique, the password cannot be based on incremental counters, publicly available information, unique product identifiers like serial numbers (unless encrypted) or be otherwise guessable.  Cryptographic keys, application programming interface keys and ID numbers used for paring which do not form part of the IP suite are not to be considered passwords for these purposes.

Information that must be provided to the public on reporting security issues

Manufacturers must publish details of at least one point of contact to allow a person to report security issues relating to hardware, pre-installed software, or software which must be installed in order to use the product for all its intended purposes.  In addition, software used for or in connection with any intended purpose of the product will be covered unless the product is a smartphone or a tablet able to connect to cellular networks.   Information should also be given about when the person will receive acknowledgment of their report, and when they will be given status updates which must be provided until the issue is resolved.  This information must be transparent, provided free of charge without prior request and without requesting a user's personal data.

Information about minimum support periods

Minimum product support periods must be published by manufacturers for in-scope products in relation to their hardware, pre-installed software, software which must be installed to enable intended use of the product, and software developed by or on behalf of any manufacturer and used for or in connection with any intended purpose of the product unless it is a smartphone or network connectable tablet.  This applies only where software is capable of being updated.  The requirement extends to appropriate software associated with the product's intended functionality whether or not it is installed or capable of installation on the product and so can cover cloud services. The support period cannot be shortened but it can be extended in which case information must be provided to that effect.  The information must be transparent and clearly understandable by a consumer without technical knowledge, provided free of charge and without requesting personal data.  Where the product is offered for sale on a manufacturer website or a non-paid for website under the manufacturer's control, this information must be given equal prominence with information listing the main characteristics of the product.

Security standards – deemed compliance

Schedule 2 sets out conditions for deemed compliance with security standards.  This includes compliance with relevant parts of ETSI EN 303 645, or in some case ISO/IEC 29147.

Excepted products – set out in Schedule 3

Products excepted from the scope of the Regulations include certain:

• products made available to be supplied in Northern Ireland
• charge points for electric vehicles
• medical devices
• smart meter products
• desktop and laptop computers and tablets which do not have capability to connect to networks unless they are designed exclusively for children under 14.

In most cases, these exceptions are due to the fact that requirements are dealt with in alternative legislation.

Minimum requirements for statements of compliance

Statements of compliance must include information about:

• product type and batch
• the name and address of each manufacturer and, where applicable, their authorised representative
• a declaration that the statement is prepared by or on behalf of the manufacturer of the product
• a declaration of compliance either under Schedule 1 or by meeting the deemed compliance conditions
• the defined support period for the product that was correct at the time of first supply
• formalities (signature, name and function of signatory, place and date of issue).

A copy of the compliance statement must be retained by the manufacturer and the importer, where applicable, for ten years from the data of issue and the minimum period set out in the statement (so whichever is longer). 

What does this mean for you?

While it is possible the Regulations will change on the way to enactment, we do not anticipate major changes, so manufacturers caught by Part 1 of the PSTIA now have far greater clarity as to what compliance looks like and can begin preparing for implementation of the requirements by the likely deadline of 29 April 2024. It is unclear whether we can expect further Regulations setting out detailed security obligations for importers and distributors, or when that might happen.