burgerlogo

A New Cybersecurity Standard for IoT

A New Cybersecurity Standard for IoT

avatar
ZARIOT

- Last Updated: December 2, 2024

avatar

ZARIOT

- Last Updated: December 2, 2024

featured imagefeatured imagefeatured image

As we start to bring more smart devices into our lives, cybersecurity becomes a growing concern. For instance, Kaspersky honeypots revealed over 1.5 billion attacks against consumer IoT devices in the first half of 2019 alone. To minimize these cybersecurity risks, the ETSI (European Telecommunications Standards Institute) group created a standard in 2021 – the ETSI EN 303 645.

But what is ETSI EN 303 645 and what does it accomplish? We answer this question and more below.

ETSI EN 303 645 Standard

In a nutshell, the standard provides a global baseline for the security of connected consumer IoT devices to strengthen its predecessor – TS 103 645.

Numerous experts from academia, industry, and government were engaged, resulting in 13 robust provisions designed to prevent large-scale cyber-attacks, such as the infamous Mirai botnet attack in 2016 which infected hundreds of thousands of devices.

13 Provisions

  1. No universal default passwords.
  2. Implement a means of managing reports of vulnerabilities.
  3. Keep software updated.
  4. Securely store sensitive security parameters.
  5. Communicate securely.
  6. Minimize exposed attack surfaces.
  7. Ensure software integrity.
  8. Ensure the protection of personal data.
  9. Make systems resistant to outages.
  10. Examine system telemetry data.
  11. Make it easy for consumers to delete personal data.
  12. Make installation and maintenance of devices easy.
  13. Validate input data.

Additionally, several provisions are in line with data privacy acts such as the GDPR. For example, manufacturers must provide consumers with clear information about what data is collected, how it is used, and how it can be deleted.

Does ETSI EN 303 645 Apply to All IoT Devices?

The word "consumer" is front and center of this standard. It extends to connected or "smart" that any person can have at home nowadays. For example, smart TVs, speakers, alarm systems, door locks, smoke detectors, and baby monitors, among many others.

The standard also applies to connected gateways, hubs, and base stations. After all, a home now contains as many as 16 connected devices, each with an entry point into the home network. Thus ETSI EN 303 645 coverage extends to the centralized access point for various devices.

Why the Need for This Standard?

IoT manufacturers generally do not build their operating systems (OS) as it is expensive and time-consuming. Global tech companies like Microsoft will provide OS updates to its millions of users compared to a generic Smart TV Manufacturer.

Additionally, the seller or manufacturer of the IoT device is often not the end-to-end builder of device hardware or software, meaning the inner workings of the device are often obscured.

For anyone to obtain this information, their options would be to take a crystal box or black box approach.

  • Crystal box approach: Manufacturers proactively supply the source code and design. documentation. This is rare but allows for source code audits to determine how trust boundaries are set and maintained.
  • Black box approach: The more common approach where firmware has to be reverse engineered to get a solid understanding of what goes on inside a device.

Implications of ETSI EN 303 545

Essentially, manufacturers have to prove that their consumer IoT device complies with ETSI EN 303 645 by passing an evaluation performed by a third-party testing laboratory.

Generally, the evaluation process consists of:

  • Manufacturers fill out 2 key documents that provide information for device evaluation first is the Implementation Conformance Statement (ICS). This indicates which of the requirements in ETSI EN 303 645 the IoT device does or does not meet.
  • The second is the Implementation eXtra Information for Testing (IXIT), which provides design details for testing.
  • A testing laboratory will evaluate and test the product based on the two documents report will be provided to indicate if the product is ETSI EN 303 645-compliant.

Baseline Security Standard

While not comprehensive, the ETSI EN 303 645 sets an achievable baseline security standard for IoT stakeholders to attain. The standard also boosts consumer confidence in the security of everyday "smart" products. An accompanying compliance label will also help consumers easily identify products they can buy with assurance.

If you're an IoT device seller, OEM, importer, or exporter, take a proactive approach to cybersecurity today to ensure the safety and privacy of your customers.

Need Help Identifying the Right IoT Solution?

Our team of experts will help you find the perfect solution for your needs!

Get Help