this article. Cybersecurity is a movable feast and meeting minimum expectations through regulation must evolve with it as the practicalities unfold.
Since its inception
in 2015, the IoT Security Foundation (IoTSF) has been
So what now? IoTSF is currently helping UK
Government understand the practical implications of the PSTI Act and we need your help – if you’ve anything to say – good or bad – please get in touch as we’d like to hear from you. And in general, if you’re involved with provisioning cybersecurity in products or part of the compliance team, the IoT Security Foundation is not only a source of free information, it is also a community of like-minded professionals dedicated to making the connected world ‘safe to connect’. In particular for the PSTI Act we have a series of free quick guides and webinars. For those with a security mindset, our IoT Security Assurance Framework is internationally acclaimed and will not only inform you of what to do, but how to do it too – with utility beyond UK regulation. Those resources, along with our regular programme of webinars and conferencing, are all part of a programme to make sure we work together to address the wicked challenge of IoT cybersecurity. In summary, the UK’s PSTI Act marks a pivotal moment in the regulation of consumer IoT security. By setting minimum security standards and enforcing compliance, the Act aims to create a safer digital environment for consumers while encouraging manufacturers to prioritise cybersecurity in their product development processes. However, we’re seeing examples of unintended consequences that must be addressed to ensure the regulation works as intended during the review – industry feedback is wanted.
active in the development of best practices for
simple requirements. Let me elucidate a little to give you some insight. The password requirement was included specifically to mitigate the threat of botnets – remove that threat and we’re off to a great start. Yet passwords are one method of authentication control – there may be better options for both users and security. It is beyond the scope of this article to delve deeper here but suffice to say, manufacturers should consider their options more broadly. Indeed, it has been pointed out that user-defined passwords can often be weaker simply because some may (and do) opt for easy-to- remember passwords. And manufacturers could opt to not have a password at all – this would make the device compliant but would defeat the regulation entirely! Manufacturers will also have to carefully consider the defined support period they offer. Too short a period and that may put customers off, too long and it may pose a maintenance burden out-with the economics of the market. Generally speaking, consumer products move quickly hence most will likely opt for a range of 3-5 years. However, it is permissible to have no support at all – so long as it is publicised. Whilst the regulation calls for a specific end date (which can be extended), we have seen examples of a relative date – “2 years after the product’s end-of-life” – this is logical but not compliant with the regulation wording. There are notably more nuanced issues that have arisen since April 29th last year yet I am out of space for
manufacturers and regulation when markets fail due to a lack
of incentives. As such, the
IoTSF have been championing the development of the UK’s Product Security and Telecommuni- cations Infrastructure (PSTI) Act.
IoT Security Foundation IAForsTas mSu FreaIwno coTer Ske c u r i t y R20e2le1ase 3.0 Nov IoTSF product security assurance
IoT SF WG1 [Date]
ucadvanced.com
35
Powered by FlippingBook