Top

Enhancing IoT security: UK’s new regulations and HackerOne’s insights

The UK has implemented fresh security regulations for connected devices, courtesy of the Product Security and Telecommunications Infrastructure (PSTI) Act. This legislation lays down the foundation for security standards in IoT products, mandating compliance from manufacturers targeting UK consumers. Non-compliance with the PSTI Act carries substantial penalties, potentially amounting to either £10 million or 4% of the qualifying worldwide revenue for the latest accounting period. Thus, proactive measures are imperative to mitigate the risk of penalties and uphold cybersecurity standards.

HackerOne, a prominent figure in bug bounty and vulnerability disclosure programs, played an active role in shaping these regulations. Their collaboration with the UK government highlighted the necessity of robust vulnerability disclosure policies (VDPs) in bolstering the cybersecurity landscape.

“With stronger default security practices, such as unique passwords, consumer smart devices will be more resilient out of the box. Transparency around the security support date will help consumers make informed purchasing decisions, fostering additional marketplace competition based on security. The requirements also help pave the way for a more standardized approach to device security, potentially reducing the fragmentation in security practices across different manufacturers,” said Michael Woolslayer, Policy Counsel, HackerOne.

“More specifically, ensuring that organizations have a process to receive and fix vulnerabilities is already a best practice recommended by many of the most widely adopted cybersecurity frameworks and standards. VDPs foster a collaborative environment where security researchers, consumers, and manufacturers work together to enhance product security. Early vulnerability disclosure helps mitigate potential cyber threats before they escalate into larger security incidents. By requiring manufacturers to provide clear channels for reporting vulnerabilities, the regulation will help to ensure quicker identification and resolution of security flaws, ultimately protecting consumers.”

The significance of the new regulations

Michael highlighted the significance of the new regulation, highlighting that it primarily targets manufacturers of consumer devices capable of internet connectivity sold within the UK, notably encompassing smart or IoT devices. The PSTI Act, particularly in its first segment, aims to bolster the security of consumer smart products by mandating compliance with baseline security standards. These standards closely mirror the top three principles outlined in the voluntary Code of Practice for Consumer Internet of Things (IoT) Security.

Enhancing IoT security: UK's new regulations and HackerOne's insights
Photo by Onur Binay on Unsplash

Key security requisites outlined in the regulation encompass:

Unique Passwords: Each device’s software must feature distinct default passwords, or users should have the ability to set their own. These passwords must steer clear of easily guessable patterns or simplistic iterations.

Reporting Security Issues: Manufacturers are obligated to furnish clear, accessible, and transparent avenues for reporting security vulnerabilities. This process must entail anticipated timelines for acknowledgement and resolution updates, devoid of any personal information requests from the reporter.

Security Update Information: Manufacturers must furnish unambiguous and accessible details concerning the minimum duration for security updates, including an end date that will be available for the device.

The PSTI Act

However, certain products, such as specific smart metering devices, smart charge points, medical devices, and certain computer types, are exempt from these regulations.

Organizations are urged to assess their existing security frameworks, ensuring alignment with the mandated standards. Those falling under the jurisdiction of the PSTI Act must furnish a statement of compliance encompassing basic product and manufacturer information. Additionally, the PSTI Act imposes supplementary duties on manufacturers, including the investigation of potential compliance lapses, actions to rectify non-compliance and meticulous record-keeping.

George Mavridis is a journalist currently conducting his doctoral research at the Department of Journalism and Mass Media at Aristotle University of Thessaloniki (AUTH). He holds a degree from the same department, as well as a Master’s degree in Media and Communication Studies from Malmö University, Sweden, and a second Master’s degree in Digital Humanities from Linnaeus University, Sweden. In 2024, he completed his third Master’s degree in Information and Communication Technologies: Law and Policy at AUTH. Since 2010, he has been professionally involved in journalism and communication, and in recent years, he has also turned to book writing.