Emerging standard defines IoT security requirements

Article By : Richard Quinnell

An emerging standard from the ETSI is defining a baseline security requirement for consumer IoT designs.

It is becoming increasingly clear that even IoT designs targeting a consumer market will need security features, if only to keep user information private. What has not been clear is what types of security features need inclusion. Now, however, an emerging standard from ETSI (European Telecommunications Standards Institute) is defining a baseline security requirement for consumer IoT designs.

ETSI approved and published its standard ETSI EN 303 645 V2.1.1 (2020-06) – Cyber Security for Consumer Internet of Things: Baseline Requirements in June 2020. This puts it on track for final approval and release later this year. The standard specifies the high-level security and data protection provisions that consumer IoT devices and their interaction with associated services should provide. Its scope is specifically limited to the consumer devices, however, not the services, nor is it intended to apply in non-consumer applications such as healthcare or manufacturing. Home automation, connected appliances and toys, connected media, fitness trackers, and the like, though, are all included.

The standard acknowledges that the applicability of its provisions is application-dependent, so define most to be non-mandatory. It also requires that developers record a justification for why any recommendations were not implemented, so other stakeholders can determine if the standard’s provisions were applied appropriately and correctly. Thus, even though mostly optional, the standard’s provisions do establish a definite security baseline to which designs can aspire and that consumers can expect.

This baseline can apply regardless of the device’s complexity. A simple, even constrained, device, such as the one shown in Figure 1, might be limited in its power supply, battery life, processing power, or physical access, or have limited functionality, limited memory, or limited network bandwidth. In this instance, the device might require the support of another device, such as a hub, base station, or companion device. The full system, then, will meet the security standard even though the device alone may not.

Figure 1 A simple IoT device that does not have the resources to meet all parts of the security standard may still do so by being paired with a support device. Source: ETSI

More sophisticated devices that can in themselves provide all the resources needed to meet the security standard are, of course, also covered. The reference architecture shown in Figure 2, for instance, shows the resources available in a smart speaker. It is easily capable of implementing all the standard’s security provisions.

Figure 2 A sophisticated IoT device such as a smart speaker will have all the resources needed to implement the standard’s security provisions. Source: ETSI

There are about a dozen essential cyber security provisions the standard defines for consumer IoT that developers should aim to follow. These include:

• No universal default passwords – In any operating state other than factory default, passwords (when used) must either be user-defined or unique to the device.
• Implement a means to manage reports of vulnerabilities – Developers must make a vulnerability disclosure policy publicly available.
• Keep software updated – Developers should plan on providing their devices with timely security updates during their operating lifetime.
• Securely store sensitive security parameters – Security parameters (such as passwords and encryption keys) held in persistent storage must be secure.
• Communicate securely – Best-practice cryptography is essential and should be updatable.
• Minimize exposed attack surfaces – This includes disabling unused network and logical interfaces, concealing debug interfaces where possible, and other such considerations.
• Ensure software integrity – Provide secure boot operations and recognize unauthorized software changes.
• Ensure that personal data is secure – Use cryptography on personal data and advise users of the device’s sensory capabilities.
• Make systems resilient to outages – Accommodate loss of network connectivity and recover cleanly from loss of power.
• Examine system telemetry data – Any telemetry data the device collects, such as usage statistics and measurements, should be examined for security anomalies.
• Make it easy for users to delete user data – This is intended to simplify the removal of a device from operation or transfer of ownership.
• Make installation and maintenance of devices easy – Help users set up their device for secure operation.
• Validate input data – Ensure that the system cannot be subverted by receiving incorrectly formatted data or code.

These guidelines are only a starting point for consumer IoT security and not intended to solve all security challenges, nor will they protect against prolonged or sophisticated attacks. But they do provide a solid base capability that will protect against elementary attacks on fundamental design weaknesses, and that’s more than many current consumer devices can claim.

The ETSI standards, once formally accepted, will likely become the “opening stakes” for IoT device designs going forward. The time is now for developers to start becoming familiar with the standard and make plans to implement its policies.

This article was originally published on EDN.

Rich Quinnell is a retired engineer and writer, and former Editor-in-Chief at EDN.

Related articles:

• Monitoring may be key to IoT security
• Security struggles still hamstring IoT development
• Are designers taking IoT security seriously enough?
• Automating IoT security threat/risk analysis and compliance
• IoT device vulnerabilities are on the rise
• IoT security is only as good as its weakest link

Subscribe to Newsletter