ETSI TS 103 645 is a new standard for cybersecurity in the Internet of Things, released by the ETSI Technical Committee on Cybersecurity (TC CYBER). The aim; to make a security baseline for internet-connected consumer products and provide a basis for IoT certification schemes.
As organisers point out, as more devices in the home connect to the internet, the cyber security of the Internet of Things (IoT) is becoming a concern. People entrust their personal data to online devices and services. Products and appliances that have traditionally been offline are now becoming connected and need to be designed to withstand cyber threats. Poorly secured products threaten consumer privacy and some devices are exploited to launch large-scale DDoS (Distributed Denial of Service) cyber attacks.
Hence, TS 103 645. It specifies high-level provisions for the security of internet-connected consumer devices and their associated services. IoT products in scope include connected children’s toys and baby monitors, connected safety-relevant products such as smoke detectors and door locks, smart cameras, TVs and speakers, wearable health trackers, connected home automation and alarm systems, connected appliances (such as washing machines, fridges) or smart home assistants.
Stephen Russell, Secretary-General of ANEC, the organisation representing consumers in standardisation, and an ETSI member says: “The potential benefits of the IoT will be achieved only if products and services are designed with trust, privacy and security built in, so consumers feel they are secure and safe to use. We are pleased to have contributed to a standard which focuses on the technical and organisational controls that matter most in addressing significant and widespread security-shortcomings. It should be a landmark specification for consumers and industry alike.”
TS 103 645 requires implementers to forgo use of universal default passwords, which have been behind many security issues. It also requires a vulnerability disclosure policy to allow security researchers and others to report security issues.
Luis Jorge Romero, ETSI’s Director General says: “Stakeholders at all levels have worked together to make sure the specification was outcome-focused, rather than prescriptive, giving organizations the flexibility to innovate and implement security solutions appropriate for their products. We’re really proud to release a standard that was highly needed for consumers and society at large.”
ETSI adds that as many IoT devices and services process and store personal data, this specification can help ensure that these are compliant with the General Data Protection Regulation (GDPR). Separately, TC CYBER recently released TS 103 457 for cyber storage; the standardising of an interface between a “secure vault” that is trusted and a cloud that could be anywhere, where such sensitive data is stored in the vault. This allows a sensitive function to exist in lower security, with data held securely.
Comments
Gary Cox, Technology Director, Western Europe at Infoblox said: “We’ve been saying for some time that we need a British Kitemark equivalent for security in Internet of Things (IoT) so we’re delighted that the ETSI has introduced this new global framework that puts security at the heart of the matter. With the IoT growing in popularity and more consumer devices connecting to enterprise networks by the day, the security situation has become increasingly important, giving rise to the phenomenon of shadow IoT.
“in 2018 we revealed that in a bid to manage the threats posed by shadow IoT, that is to say consumer grade IoT operating unofficially on the corporate network, more than four out of five organisations have introduced a security policy for connected devices. However, a fifth of UK employees rarely follow policies, whilst a quarter aren’t even aware that their firm has a security policy. We can only hope that the new framework will not only educate, but also bring advancements in security policies, lowering the threats introduced by shadow devices.”
Ollie Whitehouse, global CTO at cyber security company NCC Group called it ‘incredibly encouraging’ to see the UK’s leadership ambition in securing IoT devices globally come to fruition. He said publication was testament to the international consensus on what needs to be done to ensure consumers can feel their internet-connected devices are safe and secure to use.
“We have long held the view that some market failures can only be addressed through the right regulatory frameworks and incentives. It is welcome that ETSI’s standard reflects how the adoption of its principles can help organisations achieve compliance with global regulatory regimes, from GDPR and cyber security certification in Europe to the IoT Cyber Security Improvement Act in the US.
“As global standardisation moves ahead, manufacturers in every country need to understand that an international supply chain is no longer an excuse to ignore good security practice. Manufacturers around the world should take the right steps now to build an appropriate level of security into their products.”
Separately, NCC Group and the University of Surrey have set up a partnership to advance security research within the space industry.
