Introduction to PSTI and ETSI EN 303 645 Standards

What is PSTI?

The UK's PSTI Act is a legislative measure aimed at enhancing the security of telecommunications infrastructure and products. This Act specifically focuses on the security of Internet of Things (IoT) devices, requiring all IoT products sold in the UK market to meet specific security requirements. The goal of the PSTI Act is to reduce cybersecurity risks and protect consumers and businesses from potential security threats.

What is ETSI EN 303 645?

ETSI EN 303 645 is a set of IoT security standards developed by the European Telecommunications Standards Institute (ETSI). These standards aim to provide a series of security guidelines for the design, development, and production of IoT devices. They include a range of fundamental requirements such as secure boot without passwords, minimizing exposed attack surfaces, and ensuring the security of device software updates, all to ensure that IoT devices can withstand cyberattacks and data breaches. ETSI EN 303 645 is a baseline cybersecurity standard adopted or proposed for adoption by most countries globally and has been officially included in the IECEE Scheme. It is no longer limited to Europe and has become a universally recognized standard. Soon, we will see CB reports adopting the ETSI EN 303 645 standard.

The Relationship Between PSTI and ETSI EN 303 645

The relationship between the PSTI Act and the ETSI EN 303 645 standard lies in the fact that the PSTI Act provides the legal framework and specific requirements for IoT device security, while ETSI EN 303 645 offers the technical guidelines for achieving this framework. In other words, the PSTI Act defines the "what" of IoT device security, and the ETSI EN 303 645 standard explains "how" to meet these security requirements.

So, what requirements must be met by following PSTI and ETSI EN 303 645?

Three main points are:

1. Prohibit Universal Passwords: Avoid using universal passwords by adopting secure encryption methods. Authentication is a key consideration here, requiring clients to correctly apply security protection protocols for various ports and adhere to international standard encryption principles.

2. Implement Vulnerability Disclosure Management: Companies must establish a vulnerability disclosure policy allowing researchers and users to report potential security issues. This can be understood as the need for companies to set up a public vulnerability reporting mechanism and commit to promptly responding to and fixing reported vulnerabilities.

3. Transparency of Product Security Update Services: Companies should implement a secure software update mechanism, including using signature verification for the integrity and source of updates. Additionally, they should inform users about available updates and possibly provide automatic update options.

Conclusion

As IoT devices play an increasingly important role in our daily lives, ensuring their cybersecurity becomes crucial. The UK's mandatory PSTI certification is just a pioneer in the cybersecurity certification market, and more countries and regions will standardize cybersecurity certification requirements in the future. China JJR Laboratory provides PSTI certification services for corporate clients as an IEC 17025 authorized laboratory. We welcome you to request a quote.