ETSI Standard on Consumer IoT Security

Roland Atoui
Illustration: © IoT For All

With an increasing number of devices across the world being connected to the internet, the security of IoT devices is becoming a larger concern.

That’s precisely why bringing to light the European Telecommunications Standards Institute or ETSI standard on how smart products should be secured is so important. This work was produced in cooperation with CEN/CENELEC JTC 13 (Cybersecurity and Data Protection).

The ETSI Standard on Consumer IoT Security

Many unsecured IoT devices like smart bulbs, IP cameras, smart lock, or even baby monitors, connect through a smart app on a mobile device. Even though they aren’t directly connected to other devices you may be using in your home, the fact that they’re on the same network, when it comes to a hacker gaining a foothold on your network, these unsecured IoT devices are an easy entry point.

The security requirements listed below are defined in EN 303 645 ETSI standard. It brings together widely considered good practice in security for Internet-connected consumer devices in a set of high-level outcome-focused provisions. The main objective is to support all parties involved in the development and manufacturing of consumer IoT with guidance on securing their products.

Regular Software Updates

No device can be safe without regular updates to its software. The same goes for IoT devices. It’s also vital to provide secure update mechanisms that don’t allow for cybercriminals to misuse the update system to install malware and other harmful programs on users’ IoT devices.

Software Integrity

The software on IoT devices needs to be verified with secure boot mechanisms like a hardware root of trust – the source of all cryptographic trust within a system.

No Universal and Default Passwords and Credentials

All IoT device passwords need to be unique. On top of that, they shouldn’t contain an option for a universal factory reset that gives a default password. The fact that IoT devices have default user credentials that do not vary from device to device has been a large issue for IoT cybersecurity. It’s vital to follow the best practices on passwords.

Secure Storage of Credentials and Other Sensitive Data

Besides unique passwords, credentials and other sensitive data should be securely stored on IoT devices and services. That also means that no hard-coded credentials can be used.

Personal Data Must Be Protected

GDPR and all other relevant data laws must be respected, which means that consumers need to be properly informed about how IoT devices handle their data.

User Option for Deleting Personal Data

Consumers who purchase an IoT device need to have a way to remove personal data from the devices. Clear instructions and data deletion confirmation must exist as well.

Data Input Validation

The input data should be validated, as cybercriminals often try to exploit the systems through non-validated data.

Telemetry Data Must Be Examined

If an IoT device sends telemetry data like usage and measurement data, it should be automatically examined for any security anomalies. However, users need to be informed of this.

Minimizing Possible Attack Surfaces

As is the case with all sound security systems, the ‘principle of least privilege’ should be used in IoT as well. That means that all unnecessary interfaces need to be closed, and all approved ways of minimizing possible attack surfaces need to be implemented.

Managing Reports on Vulnerabilities

Companies that produce IoT devices and services need to have a clear vulnerability disclosure policy that contains a public point of contact. That will allow for security researchers and others to easily report vulnerability issues.

Secure Communication

For communication to be protected in the IoT ecosystem, the best practices of cryptography need to be used.

Systems Must Be Resilient to Power and Data Outages

Each IoT device needs to have a built-in resilience that will protect it from unplanned outages of data or power. The device has to remain in operation for as long as possible. Then it has to be able to restore itself fully when data or power is restored.

IoT Device Installation and Maintenance Should Be Easy

Manufacturers should ensure they create a minimal amount of steps for both the installation and maintenance of their devices. Consumers should be guided through these processes.

Having Trust Concerns…? Get Certified First!

Not many IoT product consumers are aware of the trust concerns involving IoT. It is worrying, as there are many of them, most stemming from the technology’s inherent characteristics. The EU Cybersecurity Act aims to improve EU cyber resilience and response in addition to strengthening the level of trust by offering information in a transparent manner on the level of security of consumer products.

An increase in trust can be facilitated by Union-wide certification providing for common cybersecurity requirements and evaluation criteria across national markets and sectors.

The EU Cybersecurity Certification Framework will make it easier for manufacturers and developers to serve the EU market. A unified certification framework across all of EU will reduce the effects a fragmented market has on the online economy.

Eurosmart has developed the very first certification scheme complying with the EU Cybersecurity Act in a goal to protect the consumer by defining a Basic and Substantial security assurance level certification scheme for IoT devices.

At the Basic security assurance level, Eurosmart IoT Security Certification Scheme provides a Security Profile fully based on EN 303 645 allowing CABs supporting the pilot phase (listed on the website) to issue certificates for Consumer IoT devices.

The Eurosmart Label can be awarded if the devices meet the security requirements and the security assurance activities defined in the Security Profile, which are based on EN 303 645.

With this, Eurosmart confirms its support to ENISA’s mission in building a cyber-resilient consumer environment in the EU.

Author
Roland Atoui
Roland Atoui
Roland Atoui is an expert in cybersecurity and the Internet of Things (IoT) having recognized achievements working for companies such as Gemalto and Oracle with a background in both research and industry. From smart cards to smartphones to IoT tec...
Roland Atoui is an expert in cybersecurity and the Internet of Things (IoT) having recognized achievements working for companies such as Gemalto and Oracle with a background in both research and industry. From smart cards to smartphones to IoT tec...