The ETSI IoT standard: Are regulators doing enough to protect IoT devices?

The announcement of a new standard for Internet of Things (IoT) security by the ETSI technical committee in June 2020 was very much welcome in the infosec industry. ETSI EN 303 645 puts in place a security baseline for internet-connected products, and lays out 13 provisions outlining the steps manufacturers can take to secure devices and ensure compliance. Alan Grauvice president of IoT and embedded solutions, Sectigo reports.

The new regulation follows a growing trend of lawmakers and regulators waking up to the urgent issue of cyber security in the Internet of Things. Following on from California’s SB-327, which went into effect at the start of 2020, and Australia’s 2019 “Draft Code of Practice: Securing the Internet of Things for Consumers” framework, it became clear that governments and international bodies were starting to tackle the challenge head on.

When the UK announced its new IoT framework in January 2020, the move furthered the argument that IoT security had been insufficient for years, and regulators were ready to amend that.

However, the question remains: are these legislations and standards doing enough to address security for IoT devices?

The role of legislation in securing the IoT

For many years, devices would operate in closed, proprietary networks, secured with a defensible perimeter. With the advent of the internet, these systems became increasingly linked to one another via TCP/IP. The benefits of this have been much discussed, with IoT devices a central piece of consumers’ lives as well as enterprises’ networks. And their growth remains unstoppable: analyst house IDC predicts that by 2025, there will be 41.6 billion connected IoT devices in use.

However, legislative consensus has not been able to keep up with this growth. As the market has expanded, new vendors and manufacturers have often undercut competitors in pricing, to create a popular and accessible go-to market offering. Cutting costs can get solutions to market quickly, but far too few are investing enough time and organisational focus to incorporate appropriate levels of authentication and security.

In the absence of an effective IoT legislative framework, manufacturers have spent decades churning out devices with little to no in-built security, with often only static credentials as a barrier for cyber criminals. Unless security becomes mandated, manufacturers will continue to cut corners at the expense of safety. Only legislation and thorough governance can ensure IoT security is implemented by design, at the point of manufacture, and throughout the device lifecycle.

The small strides towards security

On one hand it is great to see progressive steps made to secure IoT devices. On the other, it is clear that there are still more changes to be made, and a wider consensus needs to be reached.

Looking at the US for example, SB-327 laid out a clear framework for manufacturers to use next-generation security and authentication tools. It was an important step, and one designed to target botnets that had revealed serious inadequacies in prior security practices. Unfortunately, it was an isolated legislation, specific to the state of California and non-binding nationally.

Alan Grau

Looking through the lens of ETSI EN 303 645, a similar conclusion can be reached. This is a result of collaboration between figures in the industry, academics and governments and yet the new standard is not enforceable and legally binding.

Whilst it does present a single target for manufacturers and IoT stakeholders to move towards, there will still be some in the industry who tend to implement lax security processes, because it is cheaper and often simply because they can, without being held to account.

It is important to create forward-thinking standards that address the challenge of security across the IoT, but this needs to be supplemented with a legislative agenda, one that ensures manufacturers abide by a cyber security framework when creating devices.

Why built-in is best

It is clear that governments and industry bodies need to be more active in creating an IoT security consensus, but there is some discussion on what the best practices are for securing these devices. Something that is now commonly known is the importance of in-built security and PKI authentication at the point of manufacture. With increasingly convoluted supply chains, the emphasis is on the OEM to ensure that the device is secure the moment that it is created.

To authenticate and encrypt the device, PKI needs to be in-built so that it cannot be tampered with further along the supply chain by malicious actors. Only if the chipset is authenticated and protected by certificates from the foundry stage of manufacture, will it remain secure across the device lifecycle.

Global supply chains – time for global standards?

IoT is bringing unparalleled connectivity between devices, people and enterprises, but it is also bringing risks to home and business networks. The industry’s enormous growth has complicated the manufacturing process, so that now devices are created across supply chains of huge complexity and across international borders.

To tackle this problematic challenge, it is time for legislatures to work together, to create a global consensus that protects devices at every stage of their lifecycle. Only in this way will supply chains and end products remain secure, and risks to property, life and data security will be kept at bay.

The author is Alan Grau, vice president of IoT and Embedded Solutions, Sectigo.

Comment on this article below or via Twitter: @IoTNow_OR @jcIoTnow

RECENT ARTICLES

Surrey leads new £8 million FORT centre for advancing secure networks

Posted on: March 18, 2024

The Engineering and Physical Sciences Research Council (EPSRC) announced that Surrey’s 5G/6G Innovation Centre will lead a new £8 million Centre for Doctoral Training in Future Open Secure Networks (FORT). 

Read more

Protecting assets with LTE, NTN & 5G LPWA

Posted on: March 15, 2024

In this compelling piece, part of the Key Industry Insights Series, Analyst Robin Duke-Woolley of Beecham Research and Kevin Guan of Fibocom, explain how LTE Cat 4/1/1bis/M, NTN and 5G LPWA are working to change the game for protecting goods and supply chains with total, global coverage asset tracking for reduced losses and improved operations

Read more
FEATURED IoT STORIES

What is IoT? A Beginner’s Guide

Posted on: April 5, 2023

What is IoT? IoT, or the Internet of Things, refers to the connection of everyday objects, or “things,” to the internet, allowing them to collect, transmit, and share data. This interconnected network of devices transforms previously “dumb” objects, such as toasters or security cameras, into smart devices that can interact with each other and their

Read more

The IoT Adoption Boom – Everything You Need to Know

Posted on: September 28, 2022

In an age when we seem to go through technology boom after technology boom, it’s hard to imagine one sticking out. However, IoT adoption, or the Internet of Things adoption, is leading the charge to dominate the next decade’s discussion around business IT. Below, we’ll discuss the current boom, what’s driving it, where it’s going,

Read more

9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, home automation using iot is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more

5 challenges still facing the Internet of Things

Posted on: June 3, 2020

The Internet of Things (IoT) has quickly become a huge part of how people live, communicate and do business. All around the world, web-enabled devices are turning our world into a more switched-on place to live.

Read more