New security standards for connected devices

Written By Rich Hanstock

// New UK regulations oblige manufacturers, importers and distributors to meet ‘secure by design’ standards in internet-connected devices.

The new regulations came fully into effect on 29 April 2024, following a 12-month grace period for businesses to bring themselves into compliance.

The Product Security and Telecommunications Infrastructure Act 2022 (‘PSTI’) mandates compliance with baseline standards aligned with ETSI EN 303 645 and the Code of Practice for consumer IoT security. these include:

  • the avoidance of universal default passwords;

  • the implementation of a clear and accessible vulnerability disclosure policy; and

  • the provision of information to consumers, including

    1. minimum periods within which security updates will be provided, and

    2. a formal statement of compliance.

It is anticipated that adherence to these standards will go some way towards hardening devices against low-sophistication exploits based on leaked default passwords, typically seen in amassing botnets for distributed denial of service attacks or to enable illegal data egress. Compromised devices might enable an attacker to intrude directly into users’ privacy, or serve as a point of access into a target’s network for onward exploitation.

Perhaps more significantly, encouraging more firms to adopt clear policies for disclosure of vulnerabilities appears to acknowledge the important role played by vulnerability researchers and penetration testers to the IoT security ecosystem. The policy objective appears to be to smooth the interaction between ethical hackers and manufacturers, encouraging penetration testing while promoting a swift response to disclosed vulnerabilities, for example by encouraging the use of ‘bug bounty’ schemes and platforms such as hackerone.

This apparent recognition of the importance of security researchers in target hardening considerably strengthens the argument for the addition of a sought-after public interest defence to Computer Misuse legislation in the UK, as lobbied for by CyberUp.

// What does this mean for businesses?

The regulations have broad application, spanning ‘manufacturers’, ‘importers’ and ‘distributors’ of ‘relevant connectable products’.

A wide range of products are caught, including ‘smart’ speakers, TVs, doorbells, washing machines, refrigerators, baby monitors, security cameras, smartphones, games consoles, lightbulbs and more. There are limited exemptions for separately-regulated devices, such as certain electric vehicle chargers, smart meters and medical devices.

The obligations extend beyond manufacturers and importers to include:

  • retailers and installers of smart home devices;

  • companies bundling internet-connected devices (such as broadband routers) with other products or services;

  • those who market such products under their own name which have been manufactured by others.

This significant new legislation imposes due diligence obligations on the supply chain between manufacturers and consumers, which could lead to these businesses being blamed for vulnerabilities in hardware that are beyond their control or expertise. It also necessitates technical audit of software design and vulnerability reporting obligations in industries where this might not otherwise be routine.

While the password standards are not expected to be particularly onerous for manufacturers to meet, many manufacturers will continue to ignore these requirements, particularly if their business is based outside the reach of these UK regulations.

// Who will enforce these new standards?

The regulator – the Office for Product Safety and Standards (‘OPSS’), part of the Department for Business and Trade – is vested with powers to issue financial penalties, compel product recalls and to cease certain business activities. Its Enforcement Policy sets out its commitment to take “effective and proportionate” enforcement action encompassing “actual, suspected or potential non-compliance”.

As a generalist product safety regulator, OPSS expertise in network security is unclear. A factsheet accompanying the PSTI Bill in November 2021 identified the “regulatory gap” it is designed to address as relating not to risks of physical harm (which are addressed by “existing regulation”) but “cyber harm such as loss of privacy and personal data”. Over a year later, In March 2023, the OPSS published a review of the safety of smart appliances, focusing on physical hazards that might arise from the compromise of connected appliances (such as fire risks from smart ovens, §2.2); risks to privacy and personal data are acknowledged but not expanded upon, while DDoS attacks and crypto mining expressly “fall outside the scope of this report” (§6.1).

In an official blog published in January 2024, the OPSS openly acknowledged as a “key challenge” the fact that it has “historically focussed on physical product attributes, only recently moving into the world of ‘cybersecurity’”. The OPSS anticipates that manufacturers themselves will face a similar skills gap (§6.4.4). This creates an opportunity for computer security professionals in supporting both the regulator and the regulated.

OPSS has the power to issue financial penalties of up to £10mn (or 4% of worldwide turnover, if higher) — and £20k per day for a continuing breach, incentivising swift compliance. Firms on the receiving end of a regulatory investigation can expect to be held to account for their supply chain assurance measures and steps to mitigate cyber risk for consumers, especially if an investigation follows the discovery or exploitation of a widespread vulnerability.

// What does compliance look like?

compliant firms will be able to show the due diligence steps they have taken within their supply chain before making a product available in the UK, together with clear messaging to customers to inform them about support periods and reassure them about compliance with the relevant standards.

With such a broad range of firms exposed to the risk of regulatory investigation — into matters likely to fall outside their in-house expertise — The PSTI creates significant opportunities for computer security professionals to work with those firms to certify their compliance with these new mandatory standards.

this could include:

  • reviews of products and suppliers;

  • engagement with suppliers;

  • designing clear communications to customers;

  • devising and managing new vulnerability disclosure processes;

  • advice on associated commercial and regulatory risks.

With overlapping legislation expected soon to arrive in the EU (through the Cyber Resilience Act), firms active in both UK and European markets should act now to ensure compliance with both regimes.

// What happens if the regulator takes action?

It is undoubtedly best to engage early with specialist advice to mitigate the many risks associated with regulatory action. By demonstrating a proactive approach to compliance, the likelihood and impact of regulatory intervention significantly diminishes. Showing proactive willingness to invest in complying with regulations can serve as a ‘shield’ even in the case of a blameworthy violation.

Perhaps the worst-case scenario for regulated firms is the realisation of heightened risks that arise when a vulnerability is identified or exploited in a connected device that they have helped to make available to UK customers. In the wake of the discovery of such a vulnerability, calls of ‘something must be donecould well lead to a regulatory investigation.

This predictable rhetoric also gives rise to a heightened risk of regulatory over-reaction, particularly where those directly responsible for vulnerable code are located outside the jurisdiction. In such cases it would be wise for UK firms to have a robust audit trail for their role in the supply chain and the steps they have taken proactively to mitigate the security risks, such as contacting customers to inform them of the issue, withdrawing devices from sale and supporting them in patching their devices.

Noting that neither the product safety regulator nor the firm in question are likely to be experts in computer security, specialists are likely to play a key role in contextualising the actual impact of a given vulnerability to help to ensure a proportionate regulatory response.

with enforcement action expected to be widely publicised, including on a public register maintained by OPSS, regulatory findings may also be relevant in separate civil litigation brought by consumers. This gives rise to associated risks to reputation and market standing, complicating tender submissions for future contracts.

If an enforcement notice is served, there is a route of appeal to a specialist tribunal, which has powers to award compensation where notices are wrongly given, in relation to which specialist legal advice and representation should be sought.

// How can pwn.legal help?

With the stakes high for your clients, our expert lawyers can assure the advice you give regarding compliance with legal obligations under the PSTI.

We can support your interactions with the OPSS, including proactive approaches in cases of non-compliance, representation and support during enforcement investigations and practical advice to avoid formal enforcement action.

We can also help you to negotiate favourable contractual terms with manufacturers and suppliers, designed to mitigate these regulatory risks.

In the event that formal or informal enforcement action is taken, we can work with you and your clients to protect their (and/or your) business interests, including advice and representation in appeals and related legal proceedings, including reputation management.                                                    

27 May 2024
Rich@pwn.legal
Rich Hanstock
Previous

What external counsel can learn from in-house teams