A New Cybersecurity Standard for IoT
ZARIOTZARIOT
As we start to bring more smart devices into our lives, cybersecurity becomes a growing concern. For instance, Kaspersky honeypots revealed over 1.5 billion attacks against consumer IoT devices in the first half of 2019 alone. To minimize these cybersecurity risks, the ETSI (European Telecommunications Standards Institute) group created a standard in 2021 – the ETSI EN 303 645.
But what is ETSI EN 303 645 and what does it accomplish? We answer this question and more below.
In a nutshell, the standard provides a global baseline for the security of connected consumer IoT devices to strengthen its predecessor – TS 103 645.
Numerous experts from academia, industry, and government were engaged, resulting in 13 robust provisions designed to prevent large-scale cyber-attacks, such as the infamous Mirai botnet attack in 2016 which infected hundreds of thousands of devices.
Additionally, several provisions are in line with data privacy acts such as the GDPR. For example, manufacturers must provide consumers with clear information about what data is collected, how it is used, and how it can be deleted.
The word "consumer" is front and center of this standard. It extends to connected or "smart" that any person can have at home nowadays. For example, smart TVs, speakers, alarm systems, door locks, smoke detectors, and baby monitors, among many others.
The standard also applies to connected gateways, hubs, and base stations. After all, a home now contains as many as 16 connected devices, each with an entry point into the home network. Thus ETSI EN 303 645 coverage extends to the centralized access point for various devices.
IoT manufacturers generally do not build their operating systems (OS) as it is expensive and time-consuming. Global tech companies like Microsoft will provide OS updates to its millions of users compared to a generic Smart TV Manufacturer.
Additionally, the seller or manufacturer of the IoT device is often not the end-to-end builder of device hardware or software, meaning the inner workings of the device are often obscured.
For anyone to obtain this information, their options would be to take a crystal box or black box approach.
Essentially, manufacturers have to prove that their consumer IoT device complies with ETSI EN 303 645 by passing an evaluation performed by a third-party testing laboratory.
Generally, the evaluation process consists of:
While not comprehensive, the ETSI EN 303 645 sets an achievable baseline security standard for IoT stakeholders to attain. The standard also boosts consumer confidence in the security of everyday "smart" products. An accompanying compliance label will also help consumers easily identify products they can buy with assurance.
If you're an IoT device seller, OEM, importer, or exporter, take a proactive approach to cybersecurity today to ensure the safety and privacy of your customers.
New Podcast Episode
Recent Articles