GlobalSign Blog

ETSI's New Cybersecurity Standards Establish a Security Baseline for IoT Devices

ETSI's New Cybersecurity Standards Establish a Security Baseline for IoT Devices

Over the years, there has been a steady increase in the number of devices being connected to the internet. This ongoing pandemic has accelerated the reliance further, forcing people to adapt real implementations of available IoT techniques for automating their operations.

Keeping this mind, the European Telecommunications Standards Institute (ETSI) has established a security baseline by launching a new cybersecurity standard, ETSI EN 303 645, considering the Internet of Things (IoT) gold rush we're experiencing.

This security baseline can help prevent looming, large-scale cyber attacks taking place against smart home devices, more specifically internet-connected consumer products, and future IoT certification schemes.

Understanding How IoT Works in Connected IoT Devices

Smart home devices are fitted with microphones for voice control. Motion sensors can then notify you when you leave the main door open, and security cameras can tell you who is at the door. Each one of the applications has been made possible because of IoT.

You see, devices today are being fitted with tiny chips or computer hardware that are connected to a common platform. Here, these IoT devices communicate with each other in a common language to make limited decisions based on that information.

According to ETSI EN 303 645, there is a wide range of IoT consumer devices and their associated services. Some of these are as follows:

  • Wearable health trackers
  • Connected home safety products that include motion sensors and smoke detectors
  • Wearable health tracking devices
  • Smart children’s toys and baby monitors
  • Smart home assistance
  • Home automation technologies and smart alarm systems
  • Smart daily use appliances like AC, fridge, microwave, or washing machine

Let’s discuss these applications in a bit more detail below.

Managing Home Appliances

IoT creates a cloud service for home appliances management, which is hosted on a cloud infrastructure. This cloud service can be used for controlling the outputs of smart activators fitted in the home appliances.

Technically speaking, you issue a digital write command to the activator in order to activate it.

Controlling Home Access

Different applications of home access technologies such as fingerprint, RFID, etc., are being used for public access doors.

The identification attributes of a person who approaches the access control system are collected and matched to the database. Access is granted only when the attributes match the database. Otherwise, it‘s denied.

Remote Working

The total number of connected IoT devices is expected to reach 25 billion by next year. This uptick consists of customers looking to simplify house chores as well as the escalating relevance of remote work culture. 

Today, companies can connect electronic devices like laptops, cell phones, tablets, etc., to a cloud service for integrating all organization operations.

An Outline of ETSI’s New Provisions for the Security of IoT Consumer Devices

The growing prevalence of smart devices in homes has challenged the foundation of traditional cybersecurity measures since these don’t cover the household periphery most of the time.

This is precisely why ETSI stepped up and sought help from the government, industry experts, and other academic sources to define standards that can restrict the ability of cybercriminals to control devices and launch wide-scale DDoS attacks, install spyware, or mine cryptocurrency.

Although users should educate themselves in the art of identifying these increasingly sophisticated malware types, ETSI's' initiative to outline 13 provisions further boosts the overall precautionary efficiency.

The following are the 13 cybersecurity measures for consumer IoT devices listed under ETSI EN 303 645:

No universal default passwords
Despite the ongoing debate about the effectiveness of passwords, users are encouraged to use unique passwords for every connected device, along with enabling user authentication.

Implement a means to manage reports of vulnerabilities
Manufacturers need to make a vulnerability disclosure policy available to the general public. It should include the contact information for the reporting of issues, and a proper timeline illustrating the initial acknowledgment of receipt and status updates of the reported problems.

Keep software updated
This is a more obvious provision that states users should periodically update all software components in consumer IoT devices. In addition to this, the software updates should be automatic and simple to apply.

Securely store sensitive security parameters
Sensitive security parameters should be stored securely in the device to resist tampering, be it physical, electrical, or software. Additionally, the provision explicitly states that the device software source code shouldn’t employ hard-coded critical security parameters. And in case any critical security parameters are used for authenticity checks, it should always be unique for every device.

Communicate securely
Only the best cryptography practices should be used for communicating securely through consumer IoT devices. It’s also necessary for the cryptographic algorithms and primitives to be updateable.

Minimize exposed attack surfaces
ETSI has emphasized on disabling any unused network and logical interfaces to minimize the unauthenticated disclosure of confidential information.

Ensure software integrity
Consumer IoT devices can use secure boot mechanisms for verifying software. The device should notify the user if it detects any unauthorized changes, while simultaneously seizing connection to wider networks.

Ensure that personal data is secure
Users should be able to understand all documented external sensing capabilities of consumer IoT devices. Also, cryptography should be used for maintaining the confidentiality of personal data transitions between a device and a service.

Make systems resilient to outages
In cases of data network and power outages, consumer IoT devices and services should remain resilient. The devices should continue operating and be able to restore data in case of a loss of power.

Examine system telemetry data
Telemetry data such as usage and measurement data should be examined for security and abilities.

Make it easy for users to delete user data
In these situations, users should be granted the right to erase any data without any complications. They should have access to clear instructions for this purpose, along with a final confirmation about the data deletion.

Make installation and maintenance of devices easy
Installing and maintaining consumer IoT devices shouldn’t be too complicated, involving minimal decisions on the part of the user. The manufacturer should also provide users with guidance on how to securely set up – and be able to check the set-up – of the device.

Maintain anonymity 
Several people want to maintain anonymity for security and privacy purposes. Connecting privacy services, such as virtual private networks, are an effective means of concealing your identity thanks to recent breakthroughs in VPN protocols.

Validate input data
The consumer IoT device software shall validate data input through user interfaces or application programming interfaces (APIs). It’s too easy for systems to be subverted through data that has been formatted or transferred incorrectly.

The 5 Specific Data Protection Provisions for Consumer IoT

The coronavirus epidemic has highlighted how digital technologies can be valuable for building solutions, irrespective of the field; IoT devices being a prominent example. 

Keeping the increasing adoption of IoT devices in mind, ETSI has also issued five data protection provisions to further boost consumer IoT devices manufacturers:

Provision 1: Consumers will be assured of full transparency with regard to their personal data. Manufacturers will clearly illustrate what data is processed, how is used, why it's used, and by whom it's used for every device and service.

Provision 2: In case any personal data has to be processed, manufacturers need to obtain the consumer's consent in a valid way, which involves giving them an explicit opt-in choice for the same. 

Provision 3: If consumers give consent to using their personal data, they will also have the right to withdraw whenever they want. This will give them the ability to preserve their privacy by configuring IoT device and service functionality.

Provision 4: Personal data processing should be limited to the minimum necessary, in case telemetry data is collected from consumer IoT devices and services. 

Provision 5: If consumer IoT devices and services are used for collecting telemetry data, consumers should be provided with full information about the data.

Concluding Thoughts

There has been a significant increase in the number of devices that are connected to the internet, which – unsurprisingly – has created a field day for hackers. Take for example this recent chip vulnerability (or should we say, 400 vulnerabilities) that is leaving hundreds of millions of devices exposed to spying.

Work from home opportunities are also getting more prominent. In fact, several people believe that working from home will become the new normal being the future. The need for mitigating increasing cybersecurity risks and breaches is greater than ever, which is why a set of safety precautions were required – something that ETSI recognized.

The feedback after the establishment of the baseline has been positive so far, but we'll have to wait to understand the true extent of these effects.

Note: This blog article was written by a guest contributor for the purpose of offering a wider variety of content for our readers. The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of GlobalSign.

Share this Post