Cyber

IoT cyber standard

by Mark Rowe

At the European standards body ETSI, its Technical Committee on Cybersecurity (TC CYBER) has unveiled ETSI EN 303 645. That’s a European standard (EN) for cybersecurity in the Internet of Things.

According to the standards body, that sets up a security baseline for internet-connected consumer products and provides a basis for IoT certification schemes. Based on the ETSI specification TS 103 645, EN 303 645 went through National Standards Organization comments and voting.

Among the provisions; no universal default passwords; a means to manage reports of vulnerabilities; keep software updated; securely store sensitive security parameters; communicate securely; minimise exposed attack surfaces; ensure software integrity, and that personal data is secure; make systems resilient to outages; examine system telemetry data; make it easy for users to delete user data; and make installation and maintenance of devices easy. As that list suggests, and as the document says in an introduction, the standard is for addressing the ‘most significant and widespread security shortcomings’, to protect against ‘elementary attacks on fundamental design weaknesses’, such as a user having easily guessable passwords. The standard is not aimed at IoT devices in healthcare or industry.

As ETSI says, as ever more devices in the home connect to the internet, the cybersecurity of the Internet of Things (IoT) becomes a growing concern. Hence the EN is designed to prevent large-scale, prevalent attacks against smart devices. Compliance with the standard will restrict the ability of attackers to control devices – known as botnets – to launch DDoS (denial of service) attacks, mine cryptocurrency and spy on users in their own homes.

ETSI EN 303 645 specifies 13 provisions for the security of Internet-connected consumer devices and their associated services. IoT products in scope include connected children’s toys and baby monitors, connected safety-relevant products such as smoke detectors and door locks, smart cameras, TVs and speakers, wearable health trackers, connected home automation and alarm systems, connected home appliances (such as washing machines, fridges) and smart home assistants. The EN also includes five specific data protection provisions for consumer IoT.

Juhani Eronen of the Finnish Transport and Communications Agency Traficom says: “We launched the Finnish IoT label in November 2019; it was a world first and it attracted a lot of global interest. Our labels are awarded to networking smart devices that meet certification criteria based on EN 303 645; this help consumers identify IoT devices that are sufficiently secure. To date we have awarded the labels to several products including fitness watches, home automation devices and smart hubs. Being involved in the development of the ETSI standard from the start helped us a lot in building up our certification scheme. Feedback from companies and hackers has been very positive so far.”

And Mahmoud Ghaddar, CISO Standardization at Legrand, says: “Legrand is pleased to have contributed to the ETSI EN 303 645 standard. It focuses on the product baseline controls addressing the most common security weaknesses in the IoT ecosystem. Ensuring a better level of security in the IoT ecosystem can only be achieved if governments, industry and consumers collaborate on a common and reachable goal, and standardization bodies like ETSI have provided the right platform to achieve it for this standard.”

Background

France-based ETSI describes its EN 303 645 as a standard that presents a target for manufacturers and IoT stakeholders, to underpin assurance schemes. The ETSI Technical Committee CYBER (TC CYBER) continues its work on IoT security, with the development of a test specification and an implementation guide to complement EN 303 645. To read the 34-page standard, visit the ETSI website.

Meanwhile, the United Nations has released two new cyber regulations. They cover performance and audit requirements for manufacturers of ‘connected’ cars.

Related News

  • Cyber

    API remains a grey area

    by Mark Rowe

    The desire for organisations to be more open has led to a significant rise in API usage. The 2023 Hype Cycle for…

  • Cyber

    Cybertech Europe

    by Mark Rowe

    Cybertech Europe is returning to Rome on September 24 and 25, at La Nuvola Convention Center. The event will include lectures, plenary…

  • Cyber

    Update for Cyber Essentials

    by Mark Rowe

    The UK official NCSC (National Cyber Security Centre) and IASME plan to update requirements for the Cyber Essentials scheme. They describe it…

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing