As cyber-resilience challenges continue to escalate, installers, integrators, and distributors of internet-connected security equipment, such as networked CCTV cameras and alarms, should familiarise themselves with recently introduced legislation aimed at protecting consumers from cyber-attacks and hacking, writes Matthew Holliday, Director of Technical Services & Field Operations at the NSI (National Security Inspectorate).
In April, the UK Product Security and Telecommunications Infrastructure (PSTI) Act 2022 (Part 1: The Product Security Measures) took effect, imposing potentially severe fines for non-compliance. Installation companies may unknowingly violate the Act’s requirements by selecting a publicly available internet connected product and re branding it as their own, thus being deemed the default ‘manufacturer’ (as defined by PSTI) if they also fail to comply with the prescribed protective measures.
Financial penalties for breaches not remedied within the allowed time can total £10m or 4pc of worldwide turnover. These penalties are enforced by the Office for Product Safety and Standards, part of the Department for Business and Trade, which oversees the UK’s product safety regulations. The PSTI Act is a part of the government’s National Cyber Strategy to protect and promote the UK online, covering all ‘simple’ products capable of connecting to the internet. As the UK’s premier Certification Body in the security and fire safety sectors, NSI is urging installers to understand PSTI’s important implications, in line with our central role in strengthening industry compliance and professionalisation.
NSI is also enhancing its efforts to counter cyber security threats by developing a certification scheme covering compliance with ISO/IEC 27001:2022 for information security management systems. This initiative addresses the growing demand for cyber-resilience solutions and ensures compliance with contract tender specifications.
Background forces
Cyber vulnerabilities are at the heart of the PSTI Act. Popular connectable consumer products like baby monitors, microwaves, fridges, smart TVs, speakers, and various other devices are not covered by existing legislation; nor are they expected to have their own in the future. These and other connectable products are therefore exposed to cyber-attacks, risking users’ privacy, personal data, and other significant harms. Buyers often assume such goods are sufficiently protected from external threats. While connectable equipment must comply with regulations to prevent physical harm from issues such as overheating or electrical interference, they have not previously been regulated to protect consumers from cyber-related harm – an omission now addressed by PSTI.
Market demand makes this protection imperative: up to 50 billion consumer-connectable products are predicted worldwide by 2030, yet only one in five manufacturers embed basic security measures. According to Ipsos Mori research, the average UK household uses nine of these devices, which are vulnerable to large-scale distributed denial-of-service attacks using ‘botnets’ to attack infrastructure or networks.
Protective action
In response to these risks, the government published a consumer IoT security code of practice in 2018, in line with the EU standard ETSI EN 303 645, a global cybersecurity standard for consumer Internet of Things (IoT) devices. In 2022, a £200,000 government funded scheme was initiated to research and test potential vulnerabilities in popular office-based IoT devices, such as printers and room booking systems. The results informed the subsequent PSTI legislation’s requirements, guided by advice from the National Cyber Security Centre and other experts.
PSTI employs a three-pronged approach to connectable product protection: firstly, it bans products being sold with default passwords that are prey to cyber criminals. Secondly, equipment must have a vulnerability disclosure policy providing measures to identify and flag any product vulnerabilities. Finally, the Act mandates transparency regarding the timeframe for connectable products, ensuring consumers know if their product will receive important security updates and if so, for how long.
Manufacturers, importers, and distributors of consumer connectable products must comply with these security requirements, ensure products are accompanied by a statement of compliance, and take action where there has been a compliance failure. Importantly, security installers could be ensnared by the legislation if they appear to be the ‘manufacturer’ of internet/network-connectable CCTV cameras or alarm systems, such as those used to protect residential housing and retail premises. Installer branding on products and/or packaging could be viewed in this way.
Approved installers play a vital role in enhancing customer confidence by implementing the latest security measures. The PSTI Act will accelerate the availability of security updates for connectable products, encouraging manufacturers to adhere to best practices for firmware and software updates. By learning about this law and following its guidelines, security installers can effectively reduce cyber-related vulnerabilities and ensure robust protection for their clients.
Visit www.nsi.org.uk.
