News

Introduction

Definitions

A Smart Grid is an electricity network that can cost efficiently integrate the behaviour and actions of all users connected to it – generators, consumers and those that do both – in order to ensure economically efficient, a sustainable power system with low losses and high levels of quality and security of supply and safety.

A Smart Meter is an electronic device that records consumption of electricity, gas or water and communicates that information for monitoring and billing. Smart meters send meter readings to the utility company automatically. They also come with in-home displays, which give users real-time feedback on their energy or water usage and what it is costing.

Smart Grids and Smart Meters Standardization requests and Coordination Groups

In 2009, the European Commission and EFTA mandated CEN, CENELEC and ETSI the development of an open architecture for utility meters involving communication protocols enabling interoperability (smart metering). In response to this request (M/441), CEN, CENELEC and ETSI decided to combine their expertise and resources by establishing the Coordination Group on Smart Meters (CG-SM).

In March 2011, the European Commission and EFTA issued the Smart Grid Mandate M/490 requesting CEN, CENELEC and ETSI to develop a framework to enable European Standardization Organizations (ESOs) to perform continuous standard enhancement and development in the smart grid field. In order to perform the requested work, the ESOs combined their strategic approach and established the Coordination Group on Smart Energy Grids (CG-SEG).

In January 2021, taking into consideration the close contact between both Groups since the beginning of its creation when the European Commission issued the mandates M/441 (utility meters) and M/490 (smart grid), CEN and CENELEC BTs and ETSI Board decided to merge both groups in CEN-CENELEC-ETSI CG on Smart Grids (CG-SG) coping with both Smart Energy Grids and Smart Meters.

CEN-CENELEC-ETSI Coordination Group on Smart Grids (CG-SG)

Since January 2021, the CG-SG advises on European standardization requirements relating to smart electrical grid and multi-commodity smart metering standardization, including interactions between commodity systems (e.g. electricity, gas, heat, water), and assesses ways to address them. This includes interactions with end-users, including consumers/prosumers.

Its aim is to promote the deployment of open and interoperable data architectures, based on European and international standards. The scope also includes any standards needed to design, operate and maintain electrical grids securely and efficiently. In the specific area of metering, its scope includes electricity, water, gas and heat/cooling metering devices and systems, and associated architectures.

Within its scope the Group is addressing the European requirements resulting from the Clean Energy Package, including secondary legislation, and any other relevant Commission initiatives.

The CG-SG is also receiving inputs from and provide input to the European Commission’s activities related to standardization in the field of smart grids and meters.

With respect to international standardization activities on smart grids and meters, the Group is monitoring the progress of the relevant standardization activities in ISO, IEC and ITU, and promote coordination between the European activities and those at the international level and promote when needed the consideration of European requirements within international standardization.

More information concerning past CEN/CENELEC/ETSI achievements on Smart Grids can be found here and on Smart Meters here.

Our role & activities

Our ETSI Smart Machine-to-Machine communications Technical Committee (TC SmartM2M) actively supports the oneM2M global initiative, especially in relation to European Commission (EC) driven activities, bridging the EC’s needs in the M2M/IoT area and the technical work in oneM2M and other ETSI activities.

TC SmartM2M focus is on an application-independent ‘horizontal’ service platform with architecture capable of supporting a very wide range of services including Smart Metering, Smart Grids, eHealth, Smart Cities, consumer applications (appliances), car automation, Environment, Agriculture and Food security, Smart Water, Smart Industry and Manufacturing, Wearables, Smart Buildings, Smart Lift, etc. based onSmart Applications REFerence ontology (SAREF) facilitating cross-domain IoT Semantic interoperability.

Initially, Smart Appliances have been specified on request of EC DG Connect. The Smart Appliances specifications were based on the oneM2M communication framework (TS 103 267) complemented with Smart Appliance REFerence ontology (that is now Smart Applications REFerence ontology, SAREF V3.2.1 TS 103 264) ontology. SAREF work has contributed to the foundations of the base ontology of oneM2M Release 2.

TC SmartM2M developed "SAREF ontology and oneM2M Mapping standards" and Smart Appliance testing standards. For SAREF extension investigation in the energy domain (TS 103 410-1), direct inputs from EEBus and Energy@home (in TS 103 410-1 V1.1.1/Smart Appliances) plus KNX and the Flexible power Alliance Network (FAN) (in TS 103 410-1 V1.2.1/SAREF for ENERGY with the support of H2020 INTERCONNECT Project) have been included in TC SmartM2M developments. SAREF is enabling the cross-domain IoT Semantic Interoperability where Energy, Environment and Building sectors have been part of the first SAREF normative work. Then more SAREF extensions were developed for Smart City, Industry and Manufacturing, Smart Agri‑Food, Automotive, eHealth and Ageing-Well, Wearables, Smart Water, Smart Lifts and Smart Grids.

SAREF is recognized as key enabler of IoT Semantic Interoperability with a growing set of enabling published standards (search ETSI standards with the keyword SAREF).

CG-SG lead and other ETSI Groups involved in Smart Grids

In the beginning, ETSI Smart Machine-to-Machine communications Technical Committee (TC SmartM2M) has been the lead ETSI Technical Body (TB) for the coordination of ETSI's responses to the EC standardization request on Smart Grids (M/490) and on Smart Metering (M/441). This lead role has been handed over to Technical Committee for Access, Terminals, Transmission and Multiplexing (ATTM) that is now the main ETSI entry point of ETSI participation in CEN/CENELEC/ETSI Smart Energy Grids Coordination Group (CG-SG) with other ETSI TBs/ISGs that indicated their interest to take part in CG-SG (TC ATTM, TC SmartM2M, ISG OEU, TC EE, TC CYBER, ISG CIM, TC ERM, TC SET - Secure Element Technologies - formerly TC SCP, TC MSG (3GPP)). TC SET core platform specification defining the interface between a UICC and a terminal (TS 102 221) is also one of the mandated specifications for the smart meter work item of EC and EFTA (M/441).

Introduction

F5G proposes to use the Proof of Concept approach to inspire the development of new use cases and technologies in the domain of fixed optical networks.

The objective of doing Proof-of-Concepts is to:

Demonstrate the F5G system as a viable technology Build commercial awareness and confidence in the ETSI ISG F5G approach Feedback on interoperability and other technical challenges that may guide the work in the ETSI ISG F5G Public demonstration of F5G concepts, features and use cases Develop a diverse, open F5G ecosystem.

The ETSI ISG F5G invites interested parties to perform Proof of Concept projects in order to drive the F5G vision of fibre to everywhere and everything forward.

PoC Framework

The ETSI ISG F5G has developed a F5G PoC Framework to coordinate and promote multi-party Proofs of Concept illustrating key aspects of the F5G work.

F5G PoCs are scoped around F5G use cases or architectural concepts. In order to help PoC projects to focus on the most relevant aspects, it is recommended to check the currently published documents including the use cases document. The PoC project feeds back the findings and lessons learnt from performing a PoC to the ISG F5G and helps progressing the specification work.

The PoC Framework document describes the F5G PoC framework and includes templates for PoC proposals and PoC reports.

The material about details on PoCs including a list of past and current PoCs can be found under https://docbox.etsi.org/ISG/F5G/Open/PoC_Material.

Neither ETSI, its F5G Industry Specification Group, nor their members make any endorsement of any product or implementation claiming to demonstrate or conform to F5G. No verification or test has been performed by ETSI on any part of these F5G Proof of Concepts.

The F5G ISG is looking forward to successful implementation of F5G PoCs and in case of any questions and comments let the ISG know.

Introduction

The Consumer IoT Security Road Map provides an overview of ETSI's world-leading work in consumer IoT security.

As more devices in our homes connect to the internet and as people entrust their personal data to an increasing number of services, the cyber security of the Internet of Things has become a growing concern. Poorly secured products threaten consumer’s privacy, and some devices are exploited by attackers to: launch large-scale DDoS cyber attacks, mine cryptocurrency and spy on users in their own homes. The first globally applicable standard for consumer IoT security was released by TC CYBER in 2019, achieving global adoption and sparking further TC CYBER work on an EN standard, an assessment specification, an implementation guide, and other vertical standards. This page describes these various packages of work from TC CYBER on IoT security.

Our Role & Activities

ETSI EN 303 645

The first globally applicable standard for consumer IoT was released by TC CYBER in February 2019 and was developed into ETSI EN 303 645, released in June 2020. ETSI EN 303 645 went through National Standards Organization comments and voting, engaging even more stakeholders in its development and ultimately strengthening the resulting standard. The EN is a result of collaboration and expertise from industry, academics and government. The original TS (TS 103 645) was updated to match the EN and is now used for development purposes only.

ETSI EN 303 645 is designed to prevent large-scale, prevalent attacks against smart devices that cybersecurity experts see every day, by establishing a security baseline for connected consumer products and provides a basis for future IoT certification schemes. This standard describes building security into IoT products from their design, rather than awkwardly bolting security measures on at the end.

ETSI EN 303 645 supports a good security baseline for connected consumer products, provisioning a set of 13 recommendations, with the top three being: no default passwords, implement a vulnerability disclosure policy, and keep software updated. There are also specific data protection provisions for consumer IoT devices.

IoT products in scope include connected children’s toys and baby monitors, connected safety-relevant products such as smoke detectors and door locks, smart cameras, TVs and speakers, wearable health trackers, connected home automation and alarm systems, connected appliances (e.g. washing machines, fridges) and smart home assistants.

TC CYBER has worked closely with CEN/CENELEC JTC 13 members, who have made substantial contributions to ETSI EN 303 645, and the committee will continue to do so.

Assessment specification (TS 103 701)

The assessment specification, published in August 2021, specifies baseline conformance assessments for assessing consumer IoT products against the provisions of ETSI EN 303 645. Its purpose is to test against the provisions of EN 303 645; it does not extend EN 303 645 in any way. It sets out mandatory and recommended assessments, intended to be used by testing labs and certifying bodies that provide assurance on the security of relevant products, as well as manufacturers that wish to carry out a self-assessment. The assurance schemes that this document is used in, and their outcomes, are out of scope. However, the TS 103 701 is intended as input to a future EU common cybersecurity certification scheme as proposed in the Cybersecurity Act. 

Implementation guide (TR 103 621)

The implementation guide, started in June 2020, gives easy-to-use guidance to help manufacturers and other stakeholders to meet the provisions defined for Consumer IoT devices in ETSI EN 303 645. It includes a non-exhaustive set of example implementations – obviously not all possible implementations will be included! – that meet the provisions in the EN.

Vertical standards

ETSI EN 303 645 provides a useful security baseline that spans a variety of consumer IoT devices, but sometimes additional sector-specific requirements need to be stipulated to standardise device security. TC CYBER supports new work items to create sector-specific standards (adding provisions to ETSI EN 303 645 or TS 103 701) to create a new vertical standard for a sector. For this purpose, TC CYBER created templates providing a structured way to extend ETSI EN 303 645 and ETSI TS 103 701 into a vertical domain, with adapted or new provisions in cyber security and data protection and their testing. Even if it is not an IoT device, the generic character of EN 303 645 made it appropriate as a baseline for a TS on Home Gateway Security (TS 103 848). Currently, TC CYBER is working on other verticals like smart door locks and voice-controlled devices, based on ETSI EN 303 645.

Coordinated Vulnerability Disclosure

As mandated in EN 303 645, implementing a vulnerability disclosure policy is a key requirement in ensuring on-going strong cyber security after a product has been placed on the market. ETSI TR 103 838 provides a guide to coordinated vulnerability disclosure. It contains generic advice on how to respond to and manage a vulnerability disclosure, a defined triage process, advice on managing vulnerabilities in third party products or suppliers. It also includes an example of a vulnerability disclosure policy.

National schemes development and alignment

ETSI EN 303 645 is a cohesive standard that presents an achievable, single target for manufacturers and IoT stakeholders to attain. Many countries have already based their national product certification schemes around the EN and its predecessor TS. It demonstrates how one standard can underpin many assurance schemes and provide flexibility in certification - whilst maintaining world-leading security.

Finland’s national consumer IoT certification scheme Germany BSI IoT label Singapore’s national Cybersecurity Labelling Scheme India TEC Code of Practice for Securing Consumer IoT Vietnam’s Cyber Information Security Requirements for Internet of things U.K.’s Product Security and Telecommunications Infrastructure Bill Australia Code of Practice - Securing the Internet of Things for Consumers

In addition to schemes, some organizations provide a translation to foster adoption, e.g. the Japanese Information-technology Promotion Agency.

Two websites provide additional valuable information:

cetome IoT security mapping

Not only EN 303 645 can be used by national schemes, but it can also facilitate alignment across jurisdictions. Countries started signing mutual recognition agreements such as Singapore with Finland and Germany.

A first-time multistakeholder collaboration convened by the World Economic Forum has recognized the risks, and formed a global consensus for baseline IoT security measures to protect consumers with five requirements from ETSI EN 303 645.

Within Europe, EN 303 645 and the assessment specification TS 103 701 are well placed to provide the foundation for “basic”-level IoT assurance in an EU Cybersecurity Act (CSA) scheme. EN 303 645 was originally developed for the CSA and is not suitable for direct transposition as a Harmonised Standard under EU product legislation like RED or the EU Cyber Resilience Act. EN 303 645 could inform future separate Harmonised Standard(s) on security, along with other applicable ETSI deliverables.

Private Schemes

Many organizations have already based their products and international private certification schemes around the EN and its predecessor TS. It demonstrates how one standard can underpin many assurance schemes and provide flexibility in certification - whilst maintaining world-leading security.

PSA Certified (backed by Arm)  The Global Certification Forum  TÜV Süd testing  TÜV Rheinland worldwide testing and certification VDE institue testing SESIP by Global Platform mapped  SGS IoT Testing and Conformity Assessment Program  DEKRA security evaluations  UL's IoT security Rating assesment, verification and labelling solution SafesShark and BSI IoT cyber security assessments, testing and certification Bureau Veritas Type Certification for IoT Devices ioXt's development of an assurance profile Intertek’s Cyber Assured certification

And many more:  Eurosmart, KIWA, Secura, Nemko, ACCS, IASME…

Current and future work

There are four steps for device and component manufacturers to implement EN 303 645:

1. Review concepts:

Review definitions in the EN Review information in Annex A on device architectures, network architectures, and device states.

2. Implement the provisions:

Shall implement all 33 requirements Should implement all 35 recommendations Shall record rationale if a recommendation is not implemented (Annex B) Refer to the implementation guide (TR 103 621) for further guidance

3. Conformance statement: Complete Annex B (implementation conformance pro forma)

4. Assessment: prepare for assessment (in-house or external) using the assessment specification (TS 103 701)

Useful links

For more on ETSI's security work, check out the cyber security page on our website.

See also:

ETSI TR 103 621,  March 2022 ETSI EN 303 645 V2.1.1, June 2020 ETSI TS 103 645 V3.1.1, January 2024 ETSI TS 103 701, August 2021 ETSI EN 303 645 Press Release, June 2020 ETSI TS 103 645 Press Release, February 2019 Template for Consumer IoT Derivative work TC CYBER's Roadmap for other TC CYBER work and projects

Introduction

Distributed ledgers have consolidated as one of the most disruptive applications of information technology that have appeared in recent years. They can store any kind of data as a consensus-based repository of replicated, shared, and synchronized digital records distributed across multiple sites, without depending on any central administrator. Their properties regarding immutability, traceability, managed repudiation, and multi-party verifiability opens an opportunity for a wide range of applications, and new interaction models among those entities using such ledgers.

These technologies have become the intrinsic foundation of secure decentralized transaction-based applications, including (but not limited to) decentralized cryptocurrencies. They are often referred to as blockchain, given the use of cryptographic techniques to link a growing list of blocks (records). While blockchain is a specific implementation of a distributed ledger, the industry has conformed with use of a more generic term: DLT (Distributed Ledger Technology). The conformance with the above features is one of the core components of these ledgers. Some of the additional capabilities of DLTs is support of smart contracts, support to digital identity attributes, object tracking, and the verification of service level agreements.

Distributed ledgers can be considered as permissioned or permission-less, referring to the requirements for a node to be approved to validate transactions and record them on the ledger. While permission-less ledgers are the ones that have received most attention from the public (with the paradigmatic example of Bitcoin), permissioned distributed ledgers (also known as PDL) are the better qualified to address most of the use cases of interest to industrial and governmental institutions. The reasons are related to both technical and legal aspects. Attributes including the cost and maximal frequency of recording of a transaction, the cost of the consensus algorithm, and the fairness properties among participants are where PDLs are advantageous compared with non-permissioned DLTs. Enforcement of external legal agreements using Smart Contracts addresses regulatory enforcement in critical sectors.

The ETSI Industry Specification Group on Permissioned Distributed Ledger (ISG PDL) analyses and provides the foundations for the operation of permissioned distributed ledgers, with the ultimate purpose of creating an open ecosystem of industrial solutions to be deployed by different sectors, fostering the application of these technologies, and therefore contributing to consolidate the trust and dependability on information technologies supported by global, open telecommunications networks. The group puts its focus on addressing infrastructure and operational aspects that are not currently covered by previous or parallel standardization activities. In addition to that ISG PDL fosters industry convergence towards shared standards with the intent of avoiding duplication and contradicting publications.

Our Role & Activities

The ISG PDL started from already available experiences in the field of permissioned distributed ledgers, seeking for the definition of open and well-known operational mechanisms to validate participant nodes, support the automation of the lifecycles of the ledger and individual nodes, publish and execute operations regarding the recorded transactions through smart contracts, improve security of ledgers during both their design and operation and establish trusted links among different ledgers using these mechanisms.

ISG PDL has been active since 2019 and has produced the following completed deliverables to date:

PDL-001 - Landscape of Standards and Technologie PDL-002 - Applicability and Compliance to Data Processing Requirements PDL-003 - Application Scenarios PDL-004 - Smart Contracts PDL System Architecture and Functional Specification  PDL-005 - Proof of Concepts Framework PDL-006 - Inter-Ledger interoperability PDL-008 - Research and Innovation Landscape PDL-009 - Federated Data Management PDL-010 - Operations in Offline Mode PDL-011 - Specification of Requirements for Smart Contracts' architecture and security PDL-012 - Reference Architecture PDL-013 - Supporting Distributed Data Management PDL-014 - Study on non-repudiation techniques PDL-015 – Reputation Management PDL-018 - Redactable Distributed Ledgers PDL-019 - PDL Services for Identity and Trust Management PDL-020 - Wireless Consensus Network

Additional work is in progress including the following drafts:

PDL-017 - eIDAS Applicability: Qualification of a PDL PDL-021 - 3GPP use cases PDL-022 - PDL use in supply chain management PDL-023 - PDL service enablers for Decentralized Identification and Trust Management  PDL-024 - Architecture enhancements for PDL service provisioning in telecom networks  PDL-025 - Wireless Consensus Specifications PDL-026 - Settlement of usage-based services. PDL-027 - Self Sovereign Identity in Telecom Networks. PDL-028 - Utilizing PDL in oneM2M standardized IoT service layer platform.

ISG PDL has defined a PDL Reference Architecture in PDL-003 and PDL-012 as depicted in the diagram below. Significant efforts are made to address key issues such as interoperability, immutability, redaction, reputation as well as specific implementations including wireless networks and supply chain management.

The specific architectural requirements for telecom networks to enable offering PDL/Blockchain-as-a-Service (PDLaaS) are discussed in PDL-024. This document defines the required functions, interface and interactions between the PDL-specific functionality and existing telecom network functionalities.

 

PDL-009 and PDL-013 discusses The application to federated and distributed data management of the PDL reference architecture, including architectural requirements derived from distributed data management use cases, and the definition of extended ETSI ISG-PDL platform services for PDL-based distributed data management.
Examples of which are presented in the below diagram.

 

PDL-010 provides an analysis of the challenges related to data storage and ledger operations when a single PDL node or several PDL nodes are offline, including procedures and architecture design to address these challenges.

Smart contracts, and their planning, coding, and testing are discussed in PDL-011.

Recent work includes architectural support for non-repudiation of input and output data for a PDL, reputation management, methods for managed redactability of PDL data, identity and trust management as demonstrated in PDL-023.

As wireless networks become an integral part of PDL implementations, PDL-020 and PDL-025 discuss and specify wireless consensus in critical Wireless IoT automation, and PDL-021 investigates 3GPP use cases.

Some recent work is focused on the ICT and telecom carrier environment. That includes PDL-022 that discusses PDL in supply chain management, PDL-026 that discusses use of PDL for settlement of usage-based services and PDL-027 that discusses PDL Self Sovereign Identity for service providers.

In addition to written deliverables a framework for technology assessment and demonstration via proofs of concept has been established. The ISG has established a strong connection with research activities, especially the collaborative research projects within the Horizon 2020 programme and has concluded three successful PoCs to date.

The community continues working on additional topics of interest, such as Supply Chain Management, and further study of projects related to software and network related aspects such as 3GPP standards, Wireless networks, Smart contracts as well as collaboration with other European institutions such as eIDAS and CEN/CENELEC. ISG PDL plans to explore new application environments, especially those enabled by the emergence of next-generation networking infrastructures. Those include IoT, Mobility, Edge, Tokenization, resource trading at all levels, as well as new industrial scenarios. DAOs (Digital Autonomous Organisations) are emerging as an effective solution to governance in a distributed, multi-party, environment and ISG PDL is exploring this topic.

Specifications

The ISG PDL works in tight coordination with other groups in ETSI and elsewhere, including open-source initiatives and ISG PDL is committed to produce deliverables of three different natures: Informative (studies and recommendations for further work), normative (specifications) and demonstrative (in the form of proof-of-concept reports and interoperability assessment events).

The ETSI PDL Reference architecture (PDL-012) is aligned with the GSMA and CBAN reference architectures. Furthermore, recent work (PDL-028) explores the use of PDL in oneM2M IoT standards.

A full list of related specifications in the public domain is accessible via the ISG PDL committee page, and can be searched through the ETSI web search interface. ISG PDL documentation is open for public access to facilitate interaction with research and industry. Early versions of working drafts are publicly available at the document open area.

Last updated: 2023-10-19