Can the PSTI Act Resolve the IoT Security Nightmare?

The PSTI Act aims to resolve the security chaos posed by the billions of devices comprising the Internet of Things. Kate O’Flaherty questions what’s in it, why – and whether it’s enough

The Internet of Things (IoT) is already a security nightmare. Today, anything can be (and seemingly is) connected to the internet – including baby monitors and children’s toys – yet the security of IoT devices is historically dire.

Manufacturers build IoT products quickly, often without considering security in the design process. They ship them using default passwords that can easily be found online.

With the number of Internet of Things (IoT) devices forecast to grow to 29 billion in 2030, it’ll come as no surprise that security is a growing concern. With this in mind, a new UK law, the Product Security and Telecommunications Infrastructure Act (or PSTI Act), came into place at the end of April.

As the risk of attacks on IoT devices grows, the new Act stipulates that smart devices meet basic cybersecurity requirements. This includes not using default passwords, having a point of contact for security issues to be reported, and stating the minimum time for which devices will receive updates.

Failure to comply with the PSTI Act could result in a hefty fine of £10m or 4% of revenue, even for firms outside the UK that import or retail their products in the country.

So what’s in the PSTI Act, why – and is it enough to secure the IoT?

From simple exploits to sophisticated attacks

IoT devices are notoriously difficult to secure. For a start, most have limited computational resources, which makes it difficult to onboard robust security protocols, says Iain Davidson, senior product manager at Wireless Logic. “This leaves them vulnerable to attacks such as malware, ransomware and unauthorised access.”

IoT devices also collect a lot of data. This raises additional concerns over identity theft, surveillance, and privacy violations, he says.

Cyber attacks targeting IoT devices vary from simple exploits, such as leveraging default credentials, to “sophisticated attacks” using firmware vulnerabilities or insecure network protocols, says Steven Kenny, industry liaison, architecture and engineering, Axis Communications.

“These passwords gave the illusion of security while leaving the consumer exposed to compromise” Matt Thomas

And the results of a successful attack on IoT devices can be devasting. Who could forget the infamous Mirai botnet, which caused havoc in 2016 when compromised IoT devices were used together to perform distributed denial of service (DDoS) attacks? Victims included domain name system provider Dyn, with the attack leading to multiple internet services and platforms becoming unavailable to large swathes of users.

Three years later, the Reaper malware targeted disclosed vulnerabilities in IoT devices, including popular router brands and IP cameras to form another deadly botnet.

The PSTI Act aims to prevent incidents such as these. According to the National Cybersecurity Centre’s (NCSC) guidance, the PSTI Act applies to any consumer smart device that connects to the internet or a home network. This includes smart speakers, TVs, doorbells, baby monitors, security cameras, wearable fitness trackers, and smart domestic appliances such as light bulbs, ovens, and fridges.

Experts say the Act aims to strengthen consumer and supply chain defence while holding manufacturers accountable throughout IoT production and maintenance.

Steps such as removing easily guessable default passwords are important in improving the security of IoT devices, says Matt Thomas, head of UK markets at cybersecurity company NCC Group. “Previously, these passwords gave the illusion of security while leaving the consumer exposed to compromise.”

Additionally, the Act will ensure manufacturers publish their contact details so issues can be reported and dealt with. It also stipulates that IoT device makers are open with consumers about the minimum time they can expect to receive security updates.

Among the benefits, the PSTI Act introduces much-needed accountability, enforcing a “pro-security culture” among manufacturers, says Davidson. “The new rules give authorities the power to issue directives for fixes or recall notices for non-compliant devices sold after the deadline. The Office for Product Safety and Standards can stop distribution or sales until devices comply.”

Concerns over enforcement

However, concerns have been raised about PSTI’s enforcement. For example, consumers need to secure their devices, such as updating them when a patch is available. “If consumers neglect device security, it undermines manufacturers’ efforts,” says Davidson.

Others say the Act doesn’t go far enough. David Emm, principal security researcher at Kaspersky, describes how the Act has been a long time in the making, building on the 2018 Code of Practice for Consumer IoT Security.

“The EU’s counterpart will assess cybersecurity requirements for a significant proportion of hardware and software sold into the EU” David Emm

However, he criticises the PSTI Act for legally enforcing only three of its 13 recommendations, targeting weak passwords and vulnerabilities in network services. This is “not comprehensive enough to fully safeguard users”, says Emm.

While the PSTI Act addresses consumer devices, experts are also concerned about the security of IoT in critical industries such as energy and water, where a successful attack could be deadly. Davidson says that in the future, more regulations are expected to address IoT integration within critical national infrastructure (CNI).

This includes the EU’s Cyber Resilience Act (CRA), which has been approved and is set to come into force soon. Covering a broader range, such as industrial control systems that underpin many of the systems used by energy companies, the CRA is “considerably more ambitious” than the scope of the UK’s legislation, says Thomas. “The EU’s counterpart will assess cybersecurity requirements for a significant proportion of hardware and software sold into the EU, covering risk assessments, vulnerability handling processes and incident reporting.”

The US and Australia are taking similar steps, and the UK must keep up by “introducing further bolder protections for consumers”, says Thomas.

The PSTI Act is not enough

Experts agree that the PSTI Act is a positive step towards a more secure IoT, but regulation alone is insufficient. Businesses must understand that the PSTI Act “isn’t the final defence against cyber crime”, says Davidson. “New threats will continue to emerge, and leaders across the industry will have to adapt. This requires increased collaboration among industry sectors, technology firms, policymakers, standards organisations, and cybersecurity professionals.”

“New threats will continue to emerge, and leaders across the industry will have to adapt” Iain Davidson

IoT security requires a “collaborative effort” across the entire ecosystem, agrees Nebu Varghese, senior director of the cybersecurity practice at FTI Consulting. He says this is in addition to manufacturers implementing basic protections, including encryption, secure authentication and risk-based access segmentation controls.

Kenny thinks governments must take the lead through legislation to establish baseline security requirements for IoT devices, raise awareness of cyber security risks, and enforce compliance among manufacturers.

Concurrently, IoT manufacturers should integrate security measures throughout the product lifecycle, “conducting regular assessments” and “providing timely updates” to address vulnerabilities, Kenny says.

Undoubtedly, the PSTI is a positive step forward in resolving the IoT security nightmare, and additional regulations such as the EU CRA will bolster this. But it’s an ongoing project: more will need to be done by the industry, manufacturers and the government to ensure security is built in from the outset as new threats emerge.