The UK PSTI Act and its implications for the print market
The UK Product Security and Telecommunications Infrastructure (PSTI) Act will come into effect on 29 April 2024. The product security aspect of this act stipulates a new regulatory scheme to make consumer connectable products more secure against cyberattacks by setting minimum security requirements.
Obligations are imposed upon manufacturers, importers and distributors, and resellers of these products. Manufacturers of IoT devices, such as printers and MFPs, will have to comply with the minimum security requirements, such as banning universal default passwords, providing clear information on software updates, and reporting security vulnerabilities.
While the PSTI Act currently states it is focused on connected consumer devices, the definitions contained within the Act cover most business devices as well, and it is likely that the Act will cover these in the future. Many print manufacturers are already working on ensuring their products are compliant.
What is the PSTI Act?
The PSTI bill was put before Parliament in 2021, outlining measures to address the growing cybersecurity threats posed by poor security of existing approaches to devices. It proposed security requirements for connected consumer devices, including smart TVs, smart speakers, cameras, routers, and similar devices commonly used in homes.
In December 2022, the Product Security and Telecommunications Infrastructure (PSTI) Act received Royal Assent in the UK. Its rules come into effect on 29 April 2024, and will have wide-ranging impact on any organisation making, distributing, or selling electronic equipment in the UK.
Many aspects of the Act require fundamental changes to how equipment is built and configured – any lack of adherence to the Act’s rules may lead to civil and criminal charges. With focus on strengthening cybersecurity measures, it will introduce requirements for manufacturers and distributors of designated products, aiming to create a more secure and resilient digital infrastructure.
The Act is divided into two parts: Part 1 covers product security, while Part 2 covers specific requirements for those operating telecommunications infrastructure. The terms of Part 1 become actionable to all manufacturers, vendors, and distributors selling, leasing, or otherwise making available any system covered under the Act from 29 April 2024.
What is covered by the Act?
The Act covers various aspects of device security. The main two of these are:
- Default passwords. Manufacturers can no longer have default passwords that are the same across a range of devices. Each item must have its own unique password or require the user to set one during device initiation. Unique passwords cannot use incremental counters or be based on publicly derivable information, serial numbers, or easily guessable systems.
- Security update periods. Manufacturers must publish the minimum period for which a device will receive security updates. If the manufacturer extends this period, the new period must be quickly publicised.
The Act covers not just firmware, but also any software that needs to be installed for the device to operate.
The Act does have exceptions – for example, a device that cannot connect directly to the internet or more than one other device does not need to adhere to its clauses. Also, the government has decided that the relevant Secretary of State can declare a device exempt if required to meet, for example, national security needs.
Implications for B2B technology vendors
Although the Act is focused on consumer devices, the wording of the Act also covers most connected devices in the business space. Quocirca believes the Act will be quickly extended to cover business devices, and as such, vendors, including those in the print device space, will need to ensure that they put processes in place that deal with the extra work the Act will place on them.
These include:
- Compliance burdens. B2B vendors supplying designated products will need to ensure they comply with the security requirements, which potentially will lead to increased costs and development time. Vendors must make details of a nominated entity available within their organisation for users to contact regarding any aspect of the device’s security.
- Security by design. The bill emphasises ‘security by design’, encouraging vendors to integrate security features throughout the product lifecycle and impacting product design and development processes. Lack of awareness of the Act or any of its clauses does not excuse noncompliance. Therefore, manufacturers, distributors, and resellers need to ensure that they understand who the core person responsible is. This person is likely to be within the manufacturer.
- Transparency and reporting. Vendors need to provide transparency reports detailing their security practices and incident reporting procedures. The Act stipulates that much of the information must be made available in an easily obtainable manner, in English, and in a format that is easily understood.
- Enhanced security standards. Printers and IoT devices are likely to fall under the ‘connected consumer devices’ categories, which will mandate stricter security measures such as secure boot, vulnerability patching, and password complexity.
- Interoperability challenges. The Act’s focus on specific security protocols might create interoperability challenges for diverse ecosystems. Manufacturers must ensure that open standards are used everywhere to avoid issues around interoperability. The Act will make proprietary environments harder to support.
For connected printers and MFPs, this will not just require securing basic device firmware. All areas, such as scanning, email integration, fax capability, and network routing must also be secured. It will also apply to open Wi-Fi connections – printers must now have secured connections to prevent easy access.
Print OEMs are working towards compliance
A range of print manufacturers have confirmed that they are either investigating or working to ensure compliance with all three areas of the Act. This includes Brother, Canon, Epson, HP, Kyocera, Lexmark, Sharp and Xerox. Most already follow a “Secure by Design” approach. The following vendors have shared further details with Quocirca:
Brother: All Brother devices will be fully compliant with the PSTI Act and receive guaranteed software security updates until at least five years after the device is last in production. Brother states that all Brother devices are protected from factory by a default password, which is unique per device. This method is in compliant to EN 303 645 and has been in place since May 2020. Brother’s Product Security Incident Response Team (PSIRT) is the point of contact regarding any vulnerabilities associated with Brother products.
Canon: Canon is working towards compliance and putting in place measures which ensure that all relevant products meet the new requirements. Full compliance statements will be available on Canon’s local website. Firmware updates will be cascaded to relevant products that currently have default passwords, whilst security update support will be provided for Canon’s office and personal products (printers) as well as photo, video and laser products. Vulnerability reporting will continue to be provided through the established Canon PSIRT website
Kyocera Document Solutions: The company has already put into production the requirements for compliant machines including preparation of firmware for existing stock. They report that they now have thousands of PSTI compliant machines in their European warehouses, ready for purchase specifically for the UK market. Information relating to product support periods will be detailed on the UK website, alongside information on Kyocera’s Vulnerability Disclosure Policy (VDP).
Lexmark: Currently, when a Lexmark device is first powered on, customers can opt-in to Secure by Default, which allows them to create an admin account, including a unique password (Lexmark states that its devices have never used default passwords), and restrict certain admin menus and ports. Typically, Lexmark provides firmware support for a minimum of 5 -7 years after the end of printer production.
Xerox: Xerox state that Xerox products are already in compliance with the three main areas of the PSTI Act.
Quocirca opinion
Overall, the PSTI Act presents both challenges and opportunities for manufacturers and the channel. While complying with the new requirements might require adjustments and investments, it also creates a level playing field, promotes responsible security practices, and fosters trust in the print and digital ecosystem.
Vendors that proactively adapt and embrace the security-first approach will be well positioned to thrive in the evolving landscape. Print management software vendors may also need to adopt secure APIs to print devices, rather than any dependence on built-in username/password pairs.
Meanwhile, the Cyber Resilience Act (CRA) will introduce new cybersecurity obligations for a range of digital products sold in the EU. Obligations under the CRA will come into force over a phased transition period, with the vulnerability reporting obligations expected to be in force in late 2025, and remaining obligations in 2027.
With manufacturers required to meet stricter security standards, customers will be able to make more informed decisions about device security features. This creates an opportunity for channel partners to work with vendor partners that can offer a broad portfolio of PSTI compliant devices to ensure customers’ printer fleets are compliant.
Ultimately vendors in the manufacture, distribution, and sales chain of devices will need to ensure that they maintain full visibility of the changing global regulatory landscape.