extra_toc

Introduction

The Consumer IoT Security Road Map provides an overview of ETSI's world-leading work in consumer IoT security.

As more devices in our homes connect to the internet and as people entrust their personal data to an increasing number of services, the cyber security of the Internet of Things has become a growing concern. Poorly secured products threaten consumer’s privacy, and some devices are exploited by attackers to: launch large-scale DDoS cyber attacks, mine cryptocurrency and spy on users in their own homes. The first globally applicable standard for consumer IoT security was released by TC CYBER in 2019, achieving global adoption and sparking further TC CYBER work on an EN standard, a assessment specification, an implementation guide, and other vertical standards. This page describes these various packages of work from TC CYBER on IoT security.

Cyber IoT image1

Our Role & Activities

ETSI EN 303 645

The first globally applicable standard for consumer IoT was released by TC CYBER in February 2019 and was developed into ETSI EN 303 645, released in June 2020. ETSI EN 303 645 went through National Standards Organization comments and voting, engaging even more stakeholders in its development and ultimately strengthening the resulting standard. The EN is a result of collaboration and expertise from industry, academics and government. The original TS (TS 103 645) was updated to match the EN and is now used for development purposes only.

ETSI EN 303 645 is designed to prevent large-scale, prevalent attacks against smart devices that cybersecurity experts see every day, by establishing a security baseline for connected consumer products and provides a basis for future IoT certification schemes. This standard describes building security into IoT products from their design, rather than awkwardly bolting security measures on at the end.

ETSI EN 303 645 supports a good security baseline for connected consumer products, provisioning a set of 13 recommendations, with the top three being: no default passwords, implement a vulnerability disclosure policy, and keep software updated. There are also specific data protection provisions for consumer IoT devices.

IoT products in scope include connected children’s toys and baby monitors, connected safety-relevant products such as smoke detectors and door locks, smart cameras, TVs and speakers, wearable health trackers, connected home automation and alarm systems, connected appliances (e.g. washing machines, fridges) and smart home assistants.

TC CYBER has worked closely with CEN/CENELEC JTC 13 members, who have made substantial contributions to ETSI EN 303 645, and the committee will continue to do so.

Cyber IoT image2

Assessment specification, implementation guide and vertical standards

ETSI Technical Committee CYBER (TC CYBER) is continuing its work on IoT security in 2021, with the development of three further standards: a assessment specification, an implementation guide to complement ETSI EN 303 645, and a vertical smart door lock standard.

Assessment specification (TS 103 701)

The assessment specification, started in September 2019, specifies baseline conformance assessments for assessing consumer IoT products against the provisions of ETSI EN 303 645. Its purpose is to test against the provisions of EN 303 645; it does not extend EN 303 645 in any way. It sets out mandatory and recommended assessments, intended to be used by testing labs and certifying bodies that provide assurance on the security of relevant products, as well as manufacturers that wish to carry out a self-assessment. The assurance schemes that this document is used in, and their outcomes, are out of scope. However, the proposed document is intended as input to a future EU common cybersecurity certification scheme as proposed in the Cybersecurity Act. 

Implementation guide (TR 103 621)

The implementation guide, started in June 2020, gives easy-to-use guidance to help manufacturers and other stakeholders to meet the provisions defined for Consumer IoT devices in ETSI EN 303 645. It includes a non-exhaustive set of example implementations – obviously not all possible implementations will be included! – that meet the provisions in the EN.

Vertical standards

ETSI EN 303 645 provides a useful security baseline that spans a variety of consumer IoT devices, but sometimes additional sector-specific requirements need to be stipulated to standardise device security. TC CYBER supports new work items to create sector-specific standards (adding provisions to ETSI EN 303 645) to create a new vertical standard for a sector. Currently, TC CYBER is working on a smart door lock standard, based on ETSI EN 303 645.

International alignment and adoption

ETSI EN 303 645 is a cohesive standard that presents an achievable, single target for manufacturers and IoT stakeholders to attain. Many organizations have already based their products and certification schemes around the EN and its predecessor TS. It demonstrates how one standard can underpin many assurance schemes and provide flexibility in certification - whilst maintaining world-leading security. These include:

  • Singapore’s national Cybersecurity Labelling Scheme builds on EN 303 645IoT tech page logos
  • Finland’s national consumer IoT certification scheme builds on EN 303 645
  • PSA Certified (backed by Arm) has been mapped to EN 303 645
  • The Global Certification Forum offers accreditation to EN 303 645
  • TÜV Süd offers testing against EN 303 645
  • TÜV Rheinland offers certification against EN 303 645
  • VDE offers testing against EN 303 645
  • SESIP by Global Platform has been mapped to EN 303 645 and TS 103 701
  • SGS IoT Testing and Conformity Assessment Program fully includes EN 303 645
  • DEKRA offers security evaluation based on TS 103 701 and against EN 303 645

And many more: UL, Eurosmart, KIWA, Secura, Nemko, ACCS, DTG, IASME…

Current and future work

There are four steps for device and component manufacturers to implement EN 303 645:

Cyber IoT image3

1. Review concepts:

  • Review definitions in the EN
  • Review information in Annex A on device architectures, network architectures, and device states.

2. Implement the provisions:

  • Shall implement all 33 requirements
  • Should implement all 35 recommendations
  • Shall record rationale if a recommendation is not implemented (Annex B)
  • Refer to the implementation guide (TR 103 621) for further guidance

3. Conformance statement: Complete Annex B (implementation conformance pro forma)

4. Assessment: prepare for assessment (in-house or external) using the assessment specification (TS 103 701)

Regulation

EN 303 645 can inform regulation development and facilitate alignment across jurisdictions. However, regulation development is not within TC CYBER’s remit.
EU Cybersecurity Act (CSA) EN 303 645 and the assessment specification TS 103 701 are well placed to provide the foundation for “basic”-level IoT assurance.
EU Radio Equipment Directive (RED) EN 303 645 was originally developed for the CSA and is not suitable for direct transposition as a Harmonised Standard under RED. EN 303 645 could inform future separate Harmonised Standard(s) on security, along with other applicable ETSI deliverables. Whether such Harmonised Standard(s) would profile or complement EN 303 645, and to which extent, remains to be determined.
New EU “horizontal legislation” on IoT security EN 303 645 could inform such legislation, along with other applicable ETSI deliverables.
New UK consumer IoT security legislation Proposed mandatory requirements align with EN provisions 5.1-1, 5.1-2, 5.2-1 and 5.3-13.

Useful links

For more on ETSI's security work, check out the cyber security page on our website.

See also:

Related Committees
Cyber