The UK Product Security and Telecommunications Infrastructure (Product Security) regime

The UK Product Security and Telecommunications Infrastructure (PSTI) regime has come into force, effective from 29th April 2024. The regulations apply to businesses that manufacturer, import or distribute connectable products in the UK, i.e. products that connect over the internet or can be networked with other devices.

The Security Requirements 

The security requirements are actions that relevant businesses in the supply chain must take, or requirements that a product must meet, to address a security problem or eliminate a potential security vulnerability. 

Schedule 1 to the 2023 Regulations sets out the specific requirements that must be complied with in relation to relevant connectable products.

1. Passwords  

Passwords must be unique per product; or capable of being defined by the user of the product.  

They must not be based on incremental counters; based on or derived from publicly available information; based on or derived from unique product identifiers, such as a serial number unless this is done using an encryption method, or keyed hashing algorithm, that is accepted as part of good industry practice; or otherwise easily guessable. 

2. Information on how to report security issues  

The manufacturer must provide information on how to report to them security issues about their product. The manufacturer must also provide information on the timescales within which an acknowledgment of the receipt of the report and status updates until the resolution of the reported security issues can be expected by person making the report.  

This information should be made available without prior request in English, free of charge. It should also be accessible, clear and transparent. 

3. Information on minimum security update periods  

Information on minimum security update periods must be published and made available to the consumer in a clear accessible and transparent manner. This must be the minimum length of time security updates will be provided along with an end date.  

This information should be available without prior request in English, free of charge and in a such a way that is understandable for a reader without prior technical knowledge.  

Exceptions

There are exceptions to the regime, which are listed in Schedule 3 of the regulations. For example charge points for electric vehicles, medical devices, desktop, laptop PC’s, or tablets without internet connectivity are excepted from the regulations (but notably not those which are targeted for children under 14).

Reviews

The regulations will be reviewed by The Secretary of State periodically, with a requirement for that to be carried out on a minimum of a 5-year schedule.

RISE Embarks on Phase 2 – Addressing Semiconductor Security Challenges

NCSC has approved funding for RISE Phase 2 from 2023-2026, which is hosted under Professor Máire O’Neill at the Centre for Secure information Technology (CSIT), Queen’s University Belfast. 3 new RISE research projects have been funded by EPSRC, bolstering hardware & embedded systems security research.

The National Cyber Security Centre (NCSC) – a part of GCHQ – has approved funding for RISE Phase 2 from 2023-2026, which is hosted under Professor Máire O’Neill at the Centre for Secure Information Technologies (CSIT), Queen’s University Belfast. Three new RISE research projects have also been funded by the Engineering and Physical Sciences Research Council (EPSRC), bolstering hardware and embedded systems security research, innovation, and industry partnerships.

RISE aims to establish itself as a global hub for research and innovation in hardware security, and as part of phase 2, will have a focus on addressing crucial issues in semiconductor security. The institute’s strategy approach includes fostering close engagement with leading industry partners and stakeholders both within the UK and internationally, with a strong focus on translating research outcomes into practical products, services, and business opportunities to bolster the UK economy.

With the publication of the UK’s National Semiconductor Strategy in May 2023, a key focus of which is to build on our hardware strengths to improve cyber security and ensure that ‘cyber security is considered, and more widely prioritised, at the design stage of chips’, RISE stands poised to contribute significantly, enhancing the UK’s international research standing while augmenting economic competitiveness.

Professor Máire O’Neill summarises the key outcomes of the first phase: “We have made excellent progress across our funded research projects, we kicked-off an international collaboration between the core RISE partners and NTU and NUS in Singapore and launched a UK competition targeting final year UG/MSc students, sponsored by ARM, to help stimulate the next generation of UK hardware security experts.”

Significant research outputs to date include:

  • Plundervolt – an attack developed as part of the University of Birmingham funded project which exploited vulnerabilities with Intel’s Software Guard Extensions, leading to errors that could leak secret information such as encryption keys.
  • Thunderclap – research by the University of Cambridge team that identified vulnerabilities with USB and Thunderbolt interface standards, and which provided security recommendations for hardening systems that were incorporated into the USB 4 standard.
  • An Apple Pay vulnerability discovered by the University of Surrey’s RISE project which showed that Apple Pay in Express Transit mode if used with a Visa card could be abused to make an Apple Pay payment to any shop terminal, of any value, without the need for user authentication.
  • A Queen’s University Belfast project led to the first deep-learning based automated Hardware Trojan (HT) detection system based on gate-level netlists to effectively detect HTs without any pre-knowledge of the circuits. HTs are malicious modifications of integrated circuits.
  • A trusted FPGA environment developed by the University of Manchester team that solves two problems; firstly, it uses their FPGADefender virus scanner to help a cloud service provider (CSP) ensure a user bitstream is not malicious, and secondly, it ensures user IP protection by configuring an FPGA only with encrypted configuration bitstreams.

Phase 2 will involve annual RISE conferences; spring/summer schools; early career researcher training and innovation workshops; a UK/US Workshop on Semiconductor Security; and a UK-wide Training Roadshow. Aligned funding from EPSRC supports three new research projects addressing Trustworthy Deep-Learning based Hardware Trojan Detection at Queen’s University Belfast, Securing and Analysing Trusted Execution Beyond the CPU at the Universities of Southampton and Birmingham, and Securing composable hardware platforms at the University of Manchester.

Professor Máire O’Neill emphasizes, “RISE will continue to play its part in conducting research that addresses security throughout a device’s lifecycle, from the initial design and manufacture through to its operational environment. We will also continue to grow the skillsets and community in the UK in this strategically important area.”

Is Engineering Significant Difference the Key to Enhanced Cybersecurity?

A lively conversation about whether “Engineering Significant Difference” is the key to enhanced cybersecurity.

Contributors:

Peter Davies, Security Expert operating at the convergence of Safety and Security.
An honorary Fellow with Imperial College’s Institute for Security Science & Technology and chair of the AESIN Security Workstream. He is a leading expert on Countering Cyber Attacks targeted Supply Chain infiltration and Cyber Physical Attacks. He has led the Cyber Security aspects of 3 C-CAV research activities and has 30+ years of verifying security systems in hardware and software. Peter likes to say that he does security where it can’t afford to fail. 

Professor Kerstin Eder, University of Bristol, who researches research specification, verification and analysis techniques, allowing engineers to design a system and verify/explore its behaviour in terms of functional correctness, safety, performance, power consumption and energy efficiency. Her work includes both formal methods and traditional simulation-based approaches. She has a strong background in computational logic, especially formal verification, declarative programming languages and their implentation, abstract machines, compilation techniques and meta programming.

Dr Weiqiang Liu is currently a full Professor and the Vice Dean of College of Electronic and Information Engineering, Nanjing University of Aeronautics and Astronautics (NUAA), Nanjing, China. He received the B.Sc. degree in Information Engineering from NUAA and the Ph.D. degree in Electronic Engineering from Queen’s University Belfast (QUB), Belfast, United Kingdom, in 2006 and 2012, respectively.

Dr Daniel Page is currently a Senior Lecturer within the Department of Computer Science, University of Bristol. His current research focuses on challenges in cryptographic engineering, the implementation (in hardware and/or software) of and implementation attacks (relating to both side-channel and fault attacks) on cryptographic primitives and arithmetic in particular.

Dr. Chongyan Gu is a Lecturer in the School of Electronic Electrical Engineering and Computer Science (EEECS) at Queen’s University Belfast, and a member of the Centre for Secure Information Technologies (CSIT) within Queen’s Global Research Institute of Electronics, Communications & Information Technology (ECIT). Her research focuses on developing advanced hardware security methodologies for enhancing the robustness, reliability, resource efficiency and resilience of hardware devices. 

PhD Studentship Opportunities at Queen’s University Belfast

The Centre for Secure Information Technologies (CSIT) at Queen’s University Belfast is seeking motivated PhD students to work on the following research topics:

For further information and how to apply, please visit the QUB website for PhD study

Automotive Cyber Resilience: Operationalizing, Standards and Research

Presenting the work of AESIN and the UK Automotive Council and Zenzic, supported by Queens University Belfast, University of South Wales, University of Edinburgh and the Turing Institute and with further support from BSI, this series of workshops is designed to:

  • Present and discuss the limitations with existing standards in meeting the requirements of the Automotive and other mobility industries worldwide
  • Present the methodology proposed by AESIN, UK Automotive Council and Zenzic to achieve operationalizable and legally sustainable cyber resilience
  • In the context of that methodology set out the research agenda and give examples of applying the outcomes of existing and potential research in support of the methodology

There are 4 workshops which are each limited to 50 attendees. At each site a different academic partner will highlight examples of applying the outcomes of existing and potential research in different areas in support of the methodology.

The workshops will be held at:

4th Dec 2019 – ECIT, Queen’s University of Belfast, Queen’s Road, Queen’s Island, Belfast, BT3 9DT. QUB are the academic partner and will use research examples from hardware. Click here for tickets

11th Dec 2019 – University of South Wales Conference Centre, CF37 1DL UoSW are the academic partner and will use research examples from Forensics. Click here for tickets

8th Jan 2020 – NXP, Colvilles Road, Glasgow G75 0TG. University of Edinburgh are the academic partner and will use research examples from Modelling. Click here for tickets

15th Jan 2020 – Plexal, 14 East Bay Lane, Here East, Queen Elizabeth Olympic Park, London, E20 3BS. The Turing Institute are the academic partner and will use research examples from mathematics and probability. Click here for tickets

Who should attend?

This event is designed specifically for researchers with an interest in automotive cyber resilience and the application of security and other research outcomes, including PhD and other research students and their supervisors, early career researchers, representatives from industry, government and other defence and security-relevant NGOs.

For further information please refer to the below guide.