Welcoming ETSI’s core criteria for consumer IoT security

It has been two years since the Cybersecurity Tech Accord first issued a statement welcoming the work of the European Telecommunications Standards Institute (ETSI) on developing criteria for IoT Security – see Cybersecurity Tech Accord Signatories Endorse ETSI Technical Specification for IoT Security | Cybersecurity Tech Accord (cybertechaccord.org). Since then, there has been considerable progress made by ETSI with implications for the technology sector and beyond.

Last summer, after 18-months of further work, ETSI published a refinement of its original 2019 Technical Specification, ETSI EN 303 645, which establishes a security baseline for internet-connected consumer products and provides a basis for future IoT certification schemes. As with the earlier Technical Specification, EN 303 645 specifies 13 cybersecurity provisions as core criteria for the security of internet-connected consumer devices and their associated services.

As we noted in our statement two years ago, the outcome-focused nature of the ETSI principles provides manufacturers enough flexibility to improve the security of their devices based on current best practices as well as to evolve as better methods become available. The Cybersecurity Tech Accord recognizes the first three principles included in ETSI’s core cybersecurity criteria – no default passwords; implement a vulnerability disclosure policy; and keep software updated – as especially foundational elements for consumer IoT security moving forward, and around which there is growing consensus across sectors.  

Given this recognition, we expect regulators to focus increasingly on at least these first three cybersecurity criteria in the near term with the option to expand their focus later, while encouraging manufacturers to adopt the other elements of the criteria as best practice. IoT products in scope include common consumer goods like connected children’s toys and baby monitors, connected safety-relevant products such as smoke detectors and door locks, smart cameras, TVs and speakers, wearable health trackers, connected home automation and alarm systems, connected appliances (e.g., washing machines, fridges) and smart home assistants.

The ETSI work, which was shaped initially by the UK Government’s original Code of Practice, is already helping to influence the approaches governments are taking worldwide – serving as the first globally applicable standard for IoT security. India and Australia both have draft Codes modeled on the UK version. Finland and Singapore are developing certification and labeling schemes that align with the ETSI work, and the US National Institute for Standards and Technology (NIST) has cross-referenced the ETSI products in its IoT security guidance. The UK is expected to publish an update shortly on its regulatory approach. All of these will not be identical to the ETSI work, but they are all likely to be influenced by it, especially its identification of 13 core cybersecurity criteria.

As in the earlier Technical Specification, these core cybersecurity criteria include:

  1. No default passwords; 
  2. Implement a vulnerability disclosure policy; 
  3. Keep software updated; 
  4. Securely store credentials and security-sensitive data; 
  5. Communicate securely; 
  6. Minimize exposed attack surfaces; 
  7. Ensure software integrity; 
  8. Ensure that personal data is protected;  
  9. Make systems resilient to outages; 
  10. Monitor system telemetry data; 
  11. Make it easy for consumers to delete personal data; 
  12. Make installation and maintenance of devices easy; and 
  13. Validate input data. 

An important advancement in this process is that this new text has been developed with input from National Standards Organisations, thus engaging a wider group of expert stakeholders from industry, government, and academia in the process. This is likely to show the direction of travel for many jurisdictions. ETSI is currently working on a testing process and implementation guide to complement EN 303 645.

The fundamental aim of the ETSI work remains to prevent large-scale attacks against smart devices, which are unfortunately still a familiar occurrence across the globe. Adopting the standard will help restrict attackers’ ability to take control of devices in order to launch DDoS attacks, mine cryptocurrency and spy on users in their own homes. The more difficult we can make it for bad actors to carry out these attacks, the more we will uplift global IoT baseline security.

The Cybersecurity Tech Accord welcomes this increasing activity and alignment on a common approach to improve IoT security. One of our founding principles is to work together and with like-minded groups to improve cybersecurity for all users. Two years after endorsing ETSI’s initial work on IoT security, we are pleased to see the traction it is gaining around the globe. We encourage more governments to align with this approach and stand ready to assist and support those efforts.

April 2021