Skip to Main Content

Getting smarter: IoT devices get some security standards

It looks like consumer smart devices might be getting a baseline set of standards, thanks to some collaboration between a UK government agency, a European Standards Organization, an industry association – and probably help from barrels and barrels of coffee.

About time too, as a newly revised and updated Mirai botnet is raising its ugly head – primed for an expanded basket of vulnerable smart devices.

The newly agreed-upon standards have 13 suggested guidelines for making IoT smart devices more secure such as “no default passwords” and “communicate securely.”

“It’s a rather low baseline, but it’s definitely a move in the right direction of a more secure Internet of Things for consumers.” said Andrei Petrus, IoT Director at Avira. “In the rush to get the most innovative and competitive products to market, IoT device manufacturers often overlook the most basic security principles. Without proper enforcement, however, it’s yet to see to what extent manufacturers will voluntarily adhere to the ETSI standards.”

Just a bit of organizational maneuvering

Getting to this point has required a bit of organizational cross-pollination. In the lead position has been the British government. Their Code of Practice was first published in a draft form in March 2018 and finalized in October of that year. It was developed by an alphabet soup of agencies including the Department for Digital, Culture, Media and Sport (DCMS), the National Cyber Security Centre (NCSC), and extensive contact with industry, consumer associations and academia.

This Code of Practice was subsequently developed into ETSI TS 103 645, 16 pages of security standards for the Internet of Things by the ETSI Technical Committee on Cybersecurity. ETSI stands for the European Telecommunications Standards Institute, an independent, not-for-profit organization. They help develop technical standards for the IT and telecom industry you may never have heard of, but which underpin the modern world.

Finally, there is the Cyber-Tech Accord, an association of IT industry manufacturers, developers, and security firms. They just announced that their members had signed off on support of ETSI TS 103 645.

So what happens next?

To summarize events so far, it appears that ETSI TS 103 645 is a gentlemen’s agreement developed by an EU government, codified by an official EU standards developer, and given a warm round of applause by an industry association.

That’s a great start – but only the first steps in what will be a long journey. ETSI TS 103 645 will likely be used as the basis for an IoT certification scheme. Whether manufacturing products based on this standard becomes mandatory remains to be seen.

Here is a peak at the 13 standards:

  1. No default passwords;
  2. Implement a vulnerability disclosure policy;
  3. Keep software updated;
  4. Securely store credentials and security-sensitive data;
  5. Communicate securely;
  6. Minimize exposed attack surfaces;
  7. Ensure software integrity;
  8. Ensure that personal data is protected;
  9. Make systems resilient to outages;
  10. Monitor system telemetry data;
  11. Make it easy for consumers to delete personal data;
  12. Make installation and maintenance of devices easy; and
  13. Validate input data.

This post is also available in: German

As a PR Consultant and journalist, Frink has covered IT security issues for a number of security software firms, as well as provided reviews and insight on the beer and automotive industries (but usually not at the same time). Otherwise, he’s known for making a great bowl of popcorn and extraordinary messes in a kitchen.