The European Telecommunications Standards Institute (ETSI) has released what it calls a globally applicable standard for cybersecurity in the Internet of Things (IoT).
The new specification, TS 103645, seeks to establish a security baseline for internet-connected consumer products and provide a basis for future IoT certification schemes.
ETSI said its scope covers consumer IoT products such as connected children’s toys and baby monitors, smoke detectors and door locks, smart cameras, TVs and speakers, wearable health trackers, connected home automation and alarm systems, connected appliances (e.g. washing machines, fridges) or smart home assistants.
“As more devices in the home connect to the internet, the cybersecurity of the Internet of Things (IoT) is becoming a growing concern. People entrust their personal data to an increasing number of online devices and services,” ETSI explained.
“In addition, products and appliances that have traditionally been offline are now becoming connected and need to be designed to withstand cyber threats. Poorly secured products threaten consumer’s privacy and some devices are exploited to launch large-scale DDoS (Distributed Denial of Service) cyber attacks,” it added.
ETSI said TS 103 645 requires implementers to forgo the use of universal default passwords, which have been the source of many security issues, and provide a means to manage reports of vulnerabilities.
It also requires manufacturers to keep software updated, minimize expose attic surfaces, ensure software integrity, ensure that personal data is protected, and make systems resilient to outages.
Other requirements include provisions for securely storing credentials and security-sensitive data, examining system telemetry data collected from IoT devices and services, and making it easy for consumers to delete personal data and to install and maintain devices.
The specification is expected to help ensure compliance with the General Data Protection Regulation (GDPR), according to the standards body.
“Stakeholders at all levels have worked together to make sure the specification was outcome-focused, rather than prescriptive, giving organizations the flexibility to innovate and implement security solutions appropriate for their products,” said Luis Jorge Romero, ETSI’s Director General, in a media statement.
One of only three bodies officially recognized by the European Union (EU) as a European Standards Organization (ESO), ETSI develops globally applicable standards for ICT-enabled systems, applications, and services.
It has over 800 member organizations worldwide, including leading manufacturing companies, regulatory authorities, government ministries as well as small and medium-sized enterprises, startups, universities, R&D organizations, and interest groups.
