An emerging standard from the ETSI is defining a baseline security requirement for consumer IoT designs.
It is becoming increasingly clear that even IoT designs targeting a consumer market will need security features, if only to keep user information private. What has not been clear is what types of security features need inclusion. Now, however, an emerging standard from ETSI (European Telecommunications Standards Institute) is defining a baseline security requirement for consumer IoT designs.
ETSI approved and published its standard ETSI EN 303 645 V2.1.1 (2020-06) – Cyber Security for Consumer Internet of Things: Baseline Requirements in June 2020. This puts it on track for final approval and release later this year. The standard specifies the high-level security and data protection provisions that consumer IoT devices and their interaction with associated services should provide. Its scope is specifically limited to the consumer devices, however, not the services, nor is it intended to apply in non-consumer applications such as healthcare or manufacturing. Home automation, connected appliances and toys, connected media, fitness trackers, and the like, though, are all included.
The standard acknowledges that the applicability of its provisions is application-dependent, so define most to be non-mandatory. It also requires that developers record a justification for why any recommendations were not implemented, so other stakeholders can determine if the standard’s provisions were applied appropriately and correctly. Thus, even though mostly optional, the standard’s provisions do establish a definite security baseline to which designs can aspire and that consumers can expect.
This baseline can apply regardless of the device’s complexity. A simple, even constrained, device, such as the one shown in Figure 1, might be limited in its power supply, battery life, processing power, or physical access, or have limited functionality, limited memory, or limited network bandwidth. In this instance, the device might require the support of another device, such as a hub, base station, or companion device. The full system, then, will meet the security standard even though the device alone may not.
Figure 1 A simple IoT device that does not have the resources to meet all parts of the security standard may still do so by being paired with a support device. Source: ETSI
More sophisticated devices that can in themselves provide all the resources needed to meet the security standard are, of course, also covered. The reference architecture shown in Figure 2, for instance, shows the resources available in a smart speaker. It is easily capable of implementing all the standard’s security provisions.
Figure 2 A sophisticated IoT device such as a smart speaker will have all the resources needed to implement the standard’s security provisions. Source: ETSI
There are about a dozen essential cyber security provisions the standard defines for consumer IoT that developers should aim to follow. These include:
These guidelines are only a starting point for consumer IoT security and not intended to solve all security challenges, nor will they protect against prolonged or sophisticated attacks. But they do provide a solid base capability that will protect against elementary attacks on fundamental design weaknesses, and that’s more than many current consumer devices can claim.
The ETSI standards, once formally accepted, will likely become the “opening stakes” for IoT device designs going forward. The time is now for developers to start becoming familiar with the standard and make plans to implement its policies.
This article was originally published on EDN.
Rich Quinnell is a retired engineer and writer, and former Editor-in-Chief at EDN.