Will the new EU standard protect consumers from IoT products?
The European Telecommunications Standards Institute (ETSI) recently released Technical Specification 103 645, seeking to help protect consumers from IoT devices. The specification was produced by the ETSI Technical Committee on Cybersecurity.
The ETSI has almost 900 members worldwide, including companies like ABB, Canon, Ericsson, Mitsubishi, LG Electronics, Orange, Schneider Electric, Audi, Deutsche Bahn, Lufthansa Systems, Panasonic, Bosch, Samsung Electronics, Siemens and many more world-class companies. We can expect these organizations to lead the way toward a more secure connected world.
Tightening the grip of IoT security
Everyone working in the IoT security industry knows it is like the Wild West at the moment. Without any hard regulations in place, the industry has defaulted to low security standards in the interest of perceived saved time and costs.
Like seatbelts becoming mandatory in cars and privacy protection in social media with GDPR, it is just a question of time before internet-connected devices face much stricter legal security requirements.
Several initiatives to help the industry improve the security of IoT exist, like the American IoT Cyber Security Act, the Cyber Shield Act, The Smart IoT Act, NIST’s Managing IoT Cybersecurity and Privacy Risks, the EU’s Cybersecurity Act and don’t to forget the recent SB-327 bill in which California will be forcing basic security on IoT devices starting on January 1, 2020. There are good reasons to believe these represent requirements of what is to come.
Once harder regulations hit the industry, the actuality of these will probably stem from best practices and experience gained from all the ongoing initiatives. Let’s therefore dive more into ETSI’s new standard to see what the future holds.
What lawmakers will come to expect from IoT products
The TS 103 645 comes with a set of fairly technical requirements. None of the requirements can be said to go beyond basic hygiene security, but the scope of this highlights that securing an internet-connected device is not trivial. Done properly, security must be included from the design phase and all the way until end of life for the product. Security as a patchwork will fail. The 13 requirements presented in the new standard are:
- No universal default passwords
- Implement a means to manage reports of vulnerabilities
- Keep software updated
- Securely store credentials and security-sensitive data
- Communicate securely
- Minimize exposed attack surface
- Ensure software integrity
- Ensure personal data is protected
- Make systems resilient to outages
- Examine system telemetry data
- Make it easy for consumers to delete personal data
- Make installation and maintenance of devices easy
- Validate input data
To read more about each of these requirements, click here.
Keep software updated
The third requirement in the standard gets the most attention — by measure of number of words — and should be regarded as one of the most important security measures to get in place. Having a way to update software ensures a fallback option regardless of bugs, vulnerabilities and whether the device has been exploited or not.
The “keep software updated” requirement includes these provisions:
- All software components in consumer IoT devices should be securely updatable
- The consumer should be informed when an update is required
- Updates shall be timely — which depends on the level of severity
- All products shall have clear labelling with end-of-life date
- The need for an update should be made clear for the consumer, and easy to do
- Basic functionality should keep running during an update
- Security patches must be delivered over a secure channel
- Constrained devices should be isolable and the hardware replaceable
- Constrained device must have a clear end-of-life label regarding hardware replacement
Several open source software updating mechanisms can be implemented to ensure many of these requirements exist. One of the most popular is Mender.io. Be cautioned about trying to develop your own homegrown updater method. For example, two of the other requirements in the new standard are communicate securely and ensure software integrity. Both are paramount to security, but quite hard to implement in practice as we have seen from our day-to-day practice at Northern.tech.
Winners are serious about security
As pointed out in “What separates leaders from laggards in the internet of things,” referring to findings from a McKinsey study of 300 businesses, winners take security into account in the design and lifecycle of their products. With regulators increasingly realizing the importance of securing the world’s connected devices, it is just a question of when every vendor must comply with basic security measures. The good news is that security actually proves to be good for business.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.