BLG | ISC | ES - Securing our Digital Future – Understanding the UK Product Security and Telecommunications Infrastructure Act (PSTI)

In an era where cybersecurity is paramount, the UK's recent legislative strides signal a major leap forward in safeguarding digital infrastructure. The Product Security and Telecommunications Infrastructure (PSTI) Act of 2022, in effect since late April 2024, aims to improve the security of connected products and enhance broadband connectivity across the country. Semtech’s solutions are compliant with the PSTI Act, underscoring our commitment to meeting industry-leading security standards. This blog delves into the specifics of this significant regulation and explores how AirLink® routers are designed to comply with these security requirements through a robust defense-in-depth approach. 

Understanding the PSTI Act  

The PSTI Act was introduced to address vulnerabilities in connected products, often referred to as "smart" products. These devices, ranging from smart thermostats to connected security systems, have become integral to our daily lives and are also critical to the nation's infrastructure, with wireless routers playing an increasing role in smart grid and public safety systems. As the risk of cyber-attacks intensifies, the PSTI Act aims to mitigate these threats by enforcing security measures that manufacturers must comply with when selling their products in the UK. 

Key Security Requirements 

The PSTI Act outlines three critical security requirements: 

• Mandatory Security Updates: Manufacturers must ensure that their products receive timely security updates. This includes providing clear information about the duration of support for these updates.  

• Unique Passwords: Default passwords across all devices are prohibited. Instead, each device must have a unique password or require the user to set one upon first use. 

• Transparency and Reporting: Companies must maintain transparency regarding their security practices and report any vulnerabilities discovered in their products promptly. 

The Security Value of the PSTI Act 

Ensuring that all connected products sold in the UK comply with these security standards provides numerous benefits for the nation digital safety: 

• Enhanced Customer Trust: By ensuring that connected products are equipped with robust security features, the PSTI Act helps build trust between customers and manufacturers.
  

• Reduced Cyber Threats: With unique passwords and transparency about vulnerabilities and security update support, the potential for widespread cyber-attacks is significantly reduced.
  

• Futureproofing: As technology evolves, the PSTI Act helps ensure that devices remain secure against emerging threats, maintaining the integrity of the UK's digital infrastructure. 

Going Beyond PSTI - Security, a Shared Responsibility 

While the UK PSTI Act is important in ensuring manufacturers prioritize product security, it alone cannot fully safeguard connected devices. Security is a shared responsibility that also crucially involves users. Even the most robust security measures implemented by manufacturers can fall short if users do not play their part. Firmware and security updates, essential for protecting against emerging threats, are only effective when promptly installed by users. 
 
Indeed, manufacturers play a critical role in identifying vulnerabilities in their products and releasing timely security fixes. However, these efforts can be rendered useless if users delay or neglect to install these updates. The situation becomes even more precarious because once vulnerabilities are publicly disclosed, they become common knowledge and can be readily exploited by cyber attackers. 
 
Similarly, while it's crucial for manufacturers to remain transparent about the software support dates for their devices and inform users when a device reaches its end-of-support, users must act upon these notices. Continuing to use hardware long after its end-of-support date can leave your network exposed to new security threats as new vulnerabilities are discovered. Learn more: https://blog.sierrawireless.com/dont-let-your-network-security-expire 

 
Ultimately, a collective approach to security, where both manufacturers and users fulfill their responsibilities, is essential for protecting our digital lives against the increasing threats of cyber-attacks. By staying proactive and engaged in security practices, users can contribute significantly to the overall safety and integrity of their connected devices. 
 

AirLink Routers: A Defense-in-Depth Strategy 

AirLink routers are designed with advanced security features that align with the PSTI Act's requirements. Here's how: 

• Security Updates: All current AirLink routers benefit from a defined minimum support timeframe for unrestricted critical firmware updates, which is specified at the router level and clearly stated on each router's webpage. Understanding that security updates are only valuable when promptly deployed, our routers come with one year of AirLink services, including remote management capabilities through the AirLink Management Service (ALMS). This cloud platform allows you to easily and remotely deploy new firmware and security patches over-the-air with just a few clicks. You can also manage firmware upgrade campaigns with automatic retry capabilities and detailed reporting of results. Customers who do not renew their AirLink Service subscription can still install security updates locally using the router interface. 
  

• Unique Passwords: Default administrative passwords are randomly generated and unique per device.   
   

• Vulnerability Management: As a CVE Numbering Authority for AirLink routers, we follow MITRE-approved processes to accept vulnerability reports, coordinate with security researchers, and issue CVE reports against our products. Semtech monitors several databases such as the national vulnerability database (NVD) for potential problems with third-party components. Any new vulnerability discovered is assigned a severity score and may be publicly disclosed in accordance with our vulnerability management policy on our website, with remediation and fixes communicated promptly for all affected products. Customers can report any vulnerabilities here. 

• Defense-in-Depth Approach: Recognizing that no single measure can secure connected products, we employ a Defense-in-Depth strategy that also encompasses: 
  
  
  • Device-initiated communications (LWM2M) 
  • Modern encryption methods 
  • Access control features to lock down local connections (Ethernet/Wi-Fi LAN) 
  • VPN capability that is FIPS-140-2 compliant 
  • Security event log integration for enterprise-wide visibility 

As the digital landscape continues to evolve, staying ahead of cybersecurity threats is crucial. The PSTI Act represents a pivotal step in this direction, and Semtech’s solutions are at the forefront of this evolution. By understanding and adhering to these new regulations, both customers and manufacturers can contribute to a safer, more resilient digital environment. 

To learn more about Semtech defense-in-depth strategy visit our website or watch our webinar IoT Security Strategies: Implementing Secure Connected Solutions