With cybercrime never more prominent – incidents having risen 72% by the end of 2023 over the previous mid-pandemic high of 2021[1] – it is unsurprising that regulations are expanding to meet the growing threat. And for IoT devices - like a surveillance camera which could be a tempting network and internet-connected target for cyber criminals - such regulations have never been more important.
The initial phase of the United Kingdom’s PSTI Act (Product Security and Telecommunications Act) is now in effect, and its ratification enshrines compliance with the top three items of the UK’s 13-point Code of Practice for Consumer IoT Security into law.
PSTI and ETSI: A baseline standard for security
These three requirements reflect the same rules set out in the European Telecommunications Standards Institute (ETSI) standard EN 303 645, followed by EU member states: devices must not use default passwords; they must be supported by a vulnerability disclosure policy; and the included support and update period must be disclosed at the point of sale.
If a device does not meet the standards of the PSTI Act, the UK government may issue large fines, force a product recall, prevent the manufacture of further devices, and even hold company directors liable for a criminal act.
PSTI and ETSI regulations represent, frankly, the bare minimum that any business could do to fight the threat of cybercrime. They’re an essential baseline, but when businesses reach these standards, they must also strive to go beyond them. The ever-increasing pace of cybercrime dictates that cybersecurity stay ahead of it.
New opportunities to excel
Manufacturers need to push their technology beyond the line, both to be ready for the next part of the PSTI Act and to demonstrate to customers a superior commitment to security. PSTI’s enshrinement in law may be an opportunity to also emphasise the value of a zero-trust approach to networking, for example.
A zero-trust approach assumes that any entity inside or outside the network could act as an attack vector. Supporting such an approach helps those building IoT devices to nurture a culture of constant identification, verification, and inherent security within the networks of their clients. Security should be the default, and the easier it is for customers to achieve that, the better.
IoT manufacturers can also turn the tables and use attackers as a resource. There may be no better source of cybersecurity knowledge than a hacker, and analysis of an attack attempt may reveal critical information about weaknesses in one’s software, firmware, or hardware. But it’s not sensible to push out a product and wait for it to be attacked.
Bug bounties present an opportunity to put offensive security experts – so-called ‘white hat’ hackers – to work discovering security issues, loopholes, or other critical issues. A reward is a great incentive, and bounties allow such problems to be found in a safe sandbox rather than on a customer’s network.
Supporting products throughout the lifecycle
Critically, manufacturers must also be ready to support their devices from beginning to end. An IoT device which is secure today may very well fall victim to the attack of tomorrow. It could also fail to meet the requirements of revised standards as they are introduced. To properly protect their customers, manufacturers need to support devices through the entire product lifecycle.
This means providing straightforward, security-first onboarding, convenient and flexible firmware upgrade paths, seamless management interfaces to ensure devices are not forgotten or left vulnerable, and a strict path to decommissioning to avoid data leaks. Make it easy for end users to meet security standards, and they will; throw too many spanners in the works, and they may skip critical steps.
Better certification to prove commitment
The PSTI Act essentially allows for self-certification, which makes it easy to demonstrate that one is following the rules, but seeking certification from a true third party makes a far stronger statement.
Regular periodic verification from an external entity offers strong validation to customer and regulator alike – the certifier, not the manufacturer, puts their reputation at stake if their process is not fully above board.
Ultimately, though, as important as meeting standards is, nobody in the IoT industry can afford to focus solely on ticking certification boxes. True value and innovation are found in one’s products and actions. Demonstrating the strength and agility to go far beyond regulatory standards is the true marker of the industry’s progress towards a smarter, safer world.
[1] https://www.idtheftcenter.org/publication/2023-data-breach-report/
