Overview of the PSTI Act and Its Impact on IoT Manufacturers

As of April 29th, 2024, the Product Security And Telecommunications Infrastructure (PSTI) Act has been officially enacted after a one-year grace period. This critical legislation impacts all manufacturers that sell smart-connected devices within the UK. With the grace period concluded, any organisation violating this regulation faces prosecution. From a consumer standpoint, this development marks a significant advancement in protecting them from the risks posed by non-compliant devices that could compromise their online security. Manufacturers failing to comply will face mandatory recalls and severe financial penalties, with non-compliance now considered a criminal act.

IoT manufacturers aiming to enter or continue in the UK market are required to adhere to the ETSI (European Telecommunications Standards Institute) Standard, which is reflected in UK law. The principal requirements include:

  • No default passwords – each device must have a unique password for individual devices/product sets, or the user must be able to set their own password.
  • A vulnerability disclosure policy must be established for each device, ensuring that any vulnerabilities are addressed promptly upon detection.
  • Details regarding the support duration of a product or device must be provided at the point of sale, specifying the length of time updates will be supported by the manufacturer.

This legislation underscores the increasing recognition of the necessity for best practices in the development and safeguarding of IoT devices. At The Cyber Scheme, we are enhancing the availability of skilled hackers specifically trained for the IoT/IIoT/ICS sectors. Our CSII training course delivers practical IoT hacking training, followed by a rigorous accredited evaluation designed to assess the practitioner’s hands-on skills. This course serves as a stepping stone to more advanced IoT examinations that are currently in preparation.

For further details on The Cyber Scheme’s IoT training and assessments, please visit: https://thecyberscheme.org/iot-ics-training/