European Telecommunications Standards Institute (ETSI) publishes new standard on cybersecurity for consumer IoT

Introduction

As the number of connected and smart devices in consumers' homes and lives proliferates, so too have the challenges associated with this connectivity; with Internet of Things (IoT) cybersecurity is increasingly coming into focus as an issue of significant importance.

Having consulted with various academics, consumer associations and industry bodies, UK Government last year published a Code of Practice for Consumer IoT Security to help provide clarity over the level of security expected in IoT products.

A new standard for consumer IoT cybersecurity

Compliance with the UK Code is voluntary, however in order to continue improving consumer IoT cybersecurity and protection, in February this year, the UK Government, together with the European Telecommunications Standards Institute (ETSI), published a new standard for cybersecurity in relation to consumer IoT products.

This standard received input from experts around the world in its development and, importantly, received official endorsement at a European level by companies and governments. It presents widely considered good practice for IoT cybersecurity and compliance; and its provisions can help companies to implement a future EU common cybersecurity certification framework, as proposed in the EU Cybersecurity Act and the US IoT Cybersecurity Improvement Act.

Key features

The standard looks to set a baseline for IoT cybersecurity in consumer products. As more items and appliances in consumers' homes are 'coming online', the protection of personal data collected, processed and stored on such devices is critical; and compliance with the standard will help to ensure companies are complaint with GDPR requirements.

The products which fall under the scope of the standard are described as "consumer devices that are connected to network infrastructure". A non-exhaustive list has been included in the standard as guidance.[1]

The standard states that patchwork security of IoT products does not offer sufficient protection to consumers. Instead, it highlights that cybersecurity for an internet connected device or service, when done properly and to instil trust, must be addressed from the beginning, at the design phase right through to the very end of the product's life.

The standard does not provide guidance on all cybersecurity issues, but rather focusses on the technical and organisation controls that matter most. This is achieved through 13 outcome focussed provisions. In taking an outcome based – rather than prescriptive - approach, these provisions are designed to allow companies room for innovation in developing cybersecurity solutions suitable for their products, but without the compromise of protection.

The provisions

1. No universal default passwords: Unique passwords per device should be used, instead of a standard and universal default password, a practice which has been responsible for many security issues. Such unique passwords should not be resettable to a factory default.

2. Implement a means to manage reports of vulnerabilities: A point of contact should be made available to the public as part of a voluntary disclosure policy to allow for security issues to be reported.

3. Keep software updated: This provision has been suggested as the most important for companies to comply with. By having a way to update software securely, without delay and seamlessly ensures effective adaptability against any bugs, vulnerabilities and device exploitations.

4. Securely store credentials and security-sensitive data: Hard-coded credentials are susceptible to reverse engineering and should not be used in device software. Secure and trusted storage mechanisms to secure security-sensitive data are recommended.

5. Communicate securely: Encryption should be used when transmitting security-sensitive data and all encryption keys should be managed securely.

6. Minimise exposed attack surface: Unused software and hardware should not be unnecessarily exposed to attack and should be closed.

7. Ensure software integrity: IoT software should be verified using secure boot mechanisms and unauthorised changes in software should be alerted to the consumer and administrator.

8. Ensure personal data is protected: Consumers should be provided with clear information about how their personal data will be collected and used and consumer consent must be obtained in a valid way.

9. Make systems resilient to outages: IoT services should be resilient to, and be able to recover cleanly and without fault from, losses of network and power supply.

10. Examine system telemetry data: If telemetry data is collected, usage and processing pf such data should be transparent and monitored.

11. Make it easy for consumers to delete personal data: Consumers should be easily able to delete personal data when desired and receive clear confirmation once completed.

12. Make installation and maintenance of devices easy: IoT device installation and management should require minimal steps and follow security best practice on usability.

13. Validate input data: Data inputted via user interfaces and transferred via APIs or between networks and devices shall be validated

    This standard represents an important step in the development of European guidance and future regulation surrounding IoT, and provides greater clarity over the level of cybersecurity expected in IoT products. The provisions of the standard suggest that future IoT cybersecurity regulation will likely place great importance on consumer protection, and that cybersecurity should be high up on the agenda for those designing and developing IoT products.