Proving the Business Case for the Internet of Things

Etsi standard tackles consumer IoT security

Steve Rogerson
February 20, 2019



European standards body Etsi has released a standard for cyber security in IoT applications to establish a security baseline for internet-connected consumer products and provide a basis for future IoT certification schemes.
 
As more devices in the home connect to the internet, the cyber security of the IoT is becoming a growing concern. People entrust their personal data to an increasing number of online devices and services. In addition, products and appliances that have traditionally been offline are now becoming connected and need to be designed to withstand cyber threats. Poorly secured products threaten consumer’s privacy and some devices are exploited to launch large-scale DDoS cyber attacks.
 
The TS 103 645 specification addresses this issue and specifies high-level provisions for the security of internet-connected consumer devices and their associated services.
 
IoT products in scope include connected children’s toys and baby monitors, connected safety-relevant products such as smoke detectors and door locks, smart cameras, TVs and speakers, wearable health trackers, connected home automation and alarm systems, connected appliances such as washing machines and fridges, or smart home assistants.
 
“The potential benefits of the IoT will be achieved only if products and services are designed with trust, privacy and security built in, so consumers feel they are secure and safe to use,” said Stephen Russell, secretary-general of ANEC, the organisation representing consumers in standardisation, and an Etsi member. “We are pleased to have contributed to a standard which focuses on the technical and organisational controls that matter most in addressing significant and widespread security shortcomings. It should be a landmark specification for consumers and industry alike.”
 
TS 103 645 requires implementers to forgo the use of universal default passwords, which have been the source of many security issues. It also requires implementation of a vulnerability disclosure policy to allow security researchers and others to report security issues.
 
“Stakeholders at all levels have worked together to make sure the specification was outcome-focused, rather than prescriptive, giving organisations the flexibility to innovate and implement security appropriate for their products,” said Luis Jorge Romero, Etsi’s director general. “We’re really proud to release a standard that was highly needed for consumers and society at large.”
 
As many IoT devices and services process and store personal data, this specification can help ensure that these are compliant with GDPR rules.
 
Etsi is one of three bodies officially recognised by the EU as a European standards organisation.