On April 29th, the UK’s new Product Security and Telecommunications Infrastructure (PSTI) Act was passed into law. The PSTI is focused on the way devices are connected, and is designed to safeguard consumers from increasing cybersecurity risks in an interconnected world.
As defined by the Act, the new legislation applies to ‘all internet connectable products’ and ‘network connectable products’ and is a specific focus for manufacturers, distributors, and importers of devices within the United Kingdom. Everything from Smart TVs and WiFi routers to IoT devices and industrial controls are bound to be affected. In fact, the legislation is likely to impact most of the technology supply chain.
What does the PSTI specify?
There are a number of key areas specified in the legislation.
- A ban on universal passwords
- Transparency in disclosure of vulnerabilities
- Timely software updates
- Security by design and default
Devices built or distributed in the UK are now required to use unique passwords, or passwords that are set up by users on initialization, in order to defend against unauthorized access or universal and potentially guessable passwords.
Additionally, manufacturers are now required to provide transparency when it comes to vulnerabilities. There must be a public point of contact, as well as a defined mechanism for reporting vulnerabilities, in order that any security flaws are quickly discovered and addressed.
Security Updates
The new law also requires manufacturers to state the minimum period during which a device is scheduled to receive security updates. This is especially significant, as that frequency could impact the way in which post-quantum defenses are deployed and monitored.
With the timeline to quantum-resilience accelerating, it’s becoming increasingly important to know how PQC is being used, and this requirement adds helpful clarity. Being able to plan ahead is essential for product roadmaps, and should allow strategic forecasting for the introduction of post-quantum algorithms.
Security by Design & Default
PSTI also mandates that devices must be built with security in mind, particularly adhering to the provisions set out in ETSI EN 303 645 and ISO/IEC29147. This is a key reinforcement of the principle that the security of a device is a foundational consideration of design, and this legislation makes the issue an important priority for manufacturers. It’s important to note that compliance is much more about committing to the security and integrity of products, providing a reliable experience for customers.
This also reinforces PQShield’s goal of helping to upgrade the world’s technology supply chain. Post-quantum cryptography will form a critical part of the security architecture of devices in the next decade, whether alongside classical defenses, or as their replacement. As these technologies become more and more well-adopted, and regulation becomes more defined, PQC is bound to gain a higher profile, and solutions designed to counter the quantum threat, more prevalent.
Non-compliance with the PSTI Act can, of course, lead to serious consequences for manufacturers. However, the adoption of legislation shifts the culture towards security concerns, and that’s a great thing for everyone involved.
Read More on the Gov.UK website.