Etsi has published a standard for IoT cyber security that establishes a security baseline for internet-connected consumer products and provides a basis for future IoT certification schemes.
 
As more devices in the home connect to the internet, the cyber security of the IoT has become a growing concern. The standard is designed to prevent large-scale, prevalent attacks against smart devices that cyber-security experts see every day. Compliance with the standard will restrict the ability of attackers to control devices across the globe – known as botnets – to launch DDoS attacks, mine crypto-currency and spy on users in their own homes.
 
 
The Etsi Technical Committee on Cyber Security (TC Cyber) unveiled EN 303645 based on TS 103645. EN 303645 went through National Standards Organisation comments and voting, engaging more stakeholders in its development and strengthening the resulting standard. The EN is a result of collaboration and expertise from industry, academics and government.
 
The standard specifies 13 provisions for the security of internet-connected consumer devices and their associated services. IoT products in scope include children’s toys and baby monitors, safety-relevant products such as smoke detectors and door locks, smart cameras, TVs and speakers, wearable health trackers, home automation and alarm systems, appliances such as washing machines and fridges, and smart home assistants. It also includes five specific data protection provisions for consumer IoT.
 
“We launched the Finnish IoT label in November 2019; it was a world first and it attracted a lot of global interest,” said Juhani Eronen from Traficom. “Our labels are awarded to networking smart devices that meet certification criteria based on EN 303645. This help consumers identify IoT devices that are sufficiently secure. To date we have awarded the labels to several products including fitness watches, home automation devices and smart hubs. Being involved in the development of the Etsi standard from the start helped us a lot in building up our certification scheme. Feedback from companies and hackers has been very positive so far.”
 
EN 303645 is a cohesive standard that presents an achievable, single target for manufacturers and IoT stakeholders to attain. Many organisations have already based their products and certification schemes around the EN and its TS predecessor. It demonstrates how one standard can underpin many assurance schemes and provide flexibility in certification while maintaining security.
 
“Legrand is pleased to have contributed to the Etsi EN 303645 standard,” said Mahmoud Ghaddar, CISO of standardisation. “It focuses on the product baseline controls addressing the most common security weaknesses in the IoT ecosystem. Ensuring a better level of security in the IoT ecosystem can only be achieved if governments, industry and consumers collaborate on a common and reachable goal, and standardisation bodies like Etsi have provided the right platform to achieve it for this standard.”
 
The TC Cyber is continuing its work on IoT security, with the development of a test specification and an implementation guide to complement EN 303645.