GLOUCESTERSHIRE, UK. April 30th, 2024 – April 29th 2024, marked the day the PSTI (Product Security And Telecommunications Infrastructure) Act was entered into law following a 12 month grace period. It’s a significant piece of legislation affecting all manufacturers selling smart-connected devices in the UK. Now a 12 month grace period is over, any company found in breach of this law will be prosecuted by the government – but from a consumer perspective, it is a big step forwards in the aim of protecting them from non-compliant devices affecting their online security. The manufacturers of non-compliant devices will be subject to a compulsory product recall as well as punitive fines; non-compliance will now be seen as a criminal offence.
Every IoT manufacturer wanting to sell into the UK market must now comply with the requirements set out by the ETSI (European Telecommunications Standards Institute) Standard which are mirrored by the UK legislation. The main three requirements are:
• No default passwords – a manufacturer must use unique passwords for individual devices/product sets or allow the user to choose a password for themselves.
• Each device must now have a vulnerability disclosure policy, helping to ensure vulnerabilities are fixed as quickly as possible once discovered.
• Information about the support period of a product or device is to be provided at point of sale, including how long the manufacturer will support the device with updates.
It’s clear from this legislation that recognition is growing about the need for best practice when developing and protecting IoT devices. At The Cyber Scheme, we are increasing the availability of skilled hackers in the IoT/IIoT/ICS environment, helping them use and transfer skills they may already have in app testing or engineering. Our CSII training course provides practical training in IoT hacking which we believe to be unique – followed by a comprehensive accredited assessment that aims to test the competence of the practitioner in a practical setting. Aimed at intermediate testers, it also provides a pathway to the more advanced IoT exams we currently have in development.
For more information about The Cyber Scheme's IoT training and assessments please visit: https://thecyberscheme.org/iot-ics-training/
ENDS
Every IoT manufacturer wanting to sell into the UK market must now comply with the requirements set out by the ETSI (European Telecommunications Standards Institute) Standard which are mirrored by the UK legislation. The main three requirements are:
• No default passwords – a manufacturer must use unique passwords for individual devices/product sets or allow the user to choose a password for themselves.
• Each device must now have a vulnerability disclosure policy, helping to ensure vulnerabilities are fixed as quickly as possible once discovered.
• Information about the support period of a product or device is to be provided at point of sale, including how long the manufacturer will support the device with updates.
It’s clear from this legislation that recognition is growing about the need for best practice when developing and protecting IoT devices. At The Cyber Scheme, we are increasing the availability of skilled hackers in the IoT/IIoT/ICS environment, helping them use and transfer skills they may already have in app testing or engineering. Our CSII training course provides practical training in IoT hacking which we believe to be unique – followed by a comprehensive accredited assessment that aims to test the competence of the practitioner in a practical setting. Aimed at intermediate testers, it also provides a pathway to the more advanced IoT exams we currently have in development.
For more information about The Cyber Scheme's IoT training and assessments please visit: https://thecyberscheme.org/iot-ics-training/
ENDS