European standards org releases consumer IoT cybersecurity standard

The European Telecommunications Standards Institute (ETSI) has released ETSI TS 103 645, a standard for cybersecurity in the Internet of Things, to establish a security baseline for internet-connected consumer products and provide a basis for future IoT certification schemes.

As more devices in the home connect to the internet, the cyber security of the Internet of Things (IoT) is becoming a growing concern. People entrust their personal data to an increasing number of online devices and services.

In addition, products and appliances that have traditionally been offline are now becoming connected and need to be designed to withstand cyber threats. Poorly secured products threaten consumer’s privacy and some devices are exploited to launch large-scale DDoS (Distributed Denial of Service) cyber attacks.

About TS 103 645

ETSI’s new specification, TS 103 645, addresses this issue and specifies high-level provisions for the security of internet-connected consumer devices and their associated services.

IoT products in scope include connected children’s toys and baby monitors, connected safety-relevant products such as smoke detectors and door locks, smart cameras, TVs and speakers, wearable health trackers, connected home automation and alarm systems, connected appliances (e.g., washing machines, fridges) or smart home assistants.

TS 103 645 requires implementers to forgo the use of universal default passwords, which have been the source of many security issues. It also requires implementation of a vulnerability disclosure policy to allow security researchers and others to report security issues.

It mandates that all credentials and security-sensitive data is stored securely within services and on devices and that no hard-coded credentials in device software are used.

“Device manufacturers and service providers shall provide consumers with clear and transparent information about how their personal data is being used, by whom, and for what purposes, for each device and service. This also applies to third parties that can be involved, including advertisers,” the specification notes.

Consumer consent must be obtained in a “valid” way and can be withdraw it at any time.

The standard includes many other provisions, some of which are mandatory requirements and other mere recommendations.

Among the latter are:

• Secured communications (encryption, securely managed keys)
• Minimized exposed attack surfaces(closed unused ports, software running with least necessary privilege, etc.)
• Assured software integrity (secure boot, unauthorized change detection).

As many IoT devices and services process and store personal data, this specification can help ensure that these are compliant with the General Data Protection Regulation (GDPR).

“Stakeholders at all levels have worked together to make sure the specification was outcome-focused, rather than prescriptive, giving organizations the flexibility to innovate and implement security solutions appropriate for their products” says Luis Jorge Romero, ETSI’s Director General. “We’re really proud to release a standard that was highly needed for consumers and society at large.”

A welcome standard

“The potential benefits of the IoT will be achieved only if products and services are designed with trust, privacy and security built in, so consumers feel they are secure and safe to use. We are pleased to have contributed to a standard which focuses on the technical and organizational controls that matter most in addressing significant and widespread security-shortcomings. It should be a landmark specification for consumers and industry alike” says Stephen Russell, Secretary-General of ANEC, the organization representing consumers in standardization, and an ETSI member.

Ollie Whitehouse, global CTO at cyber security and risk mitigation company NCC Group, told Help Net Security that the publication of European Telecommunications Standards Institute’s IoT cyber security standard is testament to the international consensus on what needs to be done to ensure consumers all around the world can feel their internet-connected devices are safe and secure to use.

“We have long held the view that some market failures can only be addressed through the right regulatory frameworks and incentives. It is welcome that ETSI’s standard reflects how the adoption of its principles can help organisations achieve compliance with global regulatory regimes, from GDPR and cyber security certification in Europe to the IoT Cyber Security Improvement Act in the US,” he noted.

“As global standardisation moves ahead, manufacturers in every country need to understand that an international supply chain is no longer an excuse to ignore good security practice. Manufacturers around the world should take the right steps now to build an appropriate level of security into their products.”