To be successful over the long term, IoT must be secure, at least that’s what people say. So in 2016, UL introduced the UL 2900 IoT security standard, but it set the bar so high, that nobody ended up using it. and the UL IoT Security Rating System was introduced last year with various rankings for IoT devices security from bronze to diamond.
The rating system was based on various countries/regions standard including ETSI TS 103 645 standard for the European market which defined requirements in terms of software updates, data & cryptography, logical security, system management, privacy protection, protocol security, and processes and documents.
The ETSI Technical Committee on Cybersecurity (TC CYBER) has now released an update to TS 103 645 IoT security standard with ETSI EN 303 645 “that establishes a security baseline for internet-connected consumer products and provides a basis for future IoT certification schemes”.
There are thirteen cybersecurity provisions – aka the 13 commandments of IoT security – which may apply differently to “simple” and “sophisticated” IoT devices:
- No universal default passwords – All consumer IoT device passwords shall be unique per device or defined by the user.
- Implement a means to manage reports of vulnerabilities – The manufacturer shall make a vulnerability disclosure policy publicly available, and disclosed vulnerabilities should be acted on in a timely manner.
- Keep software updated – All software should be kept updated and well maintained, and the standard defines 12 provisions detailing the requirements including automated secure software updates.
- Securely store sensitive security parameters – Sensitive security parameters in persistent storage shall be stored securely by the device with anti-tampering and other security measures
- Communicate securely – The consumer IoT device shall use best practice cryptography to communicate securely.
- Minimize exposed attack surfaces – Disable unused interfaces, do not unnecessarily expose physical interfaces to attack, unused code should be removed, etc…
- Ensure software integrity – The consumer IoT device should verify its software using secure boot mechanisms, and alert the user and/or administrator in case of unauthorized changes.
- Ensure that personal data is secure – The confidentiality of personal data transiting between a device and a service should be protected with best practice cryptography, and external sensing capabilities of the device shall be documented in a clear way.
- Make systems resilient to outages – e.g. Consumer IoT devices should remain operating and locally functional in the case of a loss of network access and should recover cleanly in the case of restoration of a loss of power.
- Examine system telemetry data – If telemetry data is collected from consumer IoT devices and services, such as usage and measurement data, it should be examined for security anomalies.
- Make it easy for users to delete user data – A simple method should be provided to erase personal and user data from the device.
- Make installation and maintenance of devices easy – Installation and maintenance of consumer IoT should involve minimal decisions by the user with guidance about security.
- Validate input data – The consumer IoT device software shall validate data input via user interfaces or transferred via Application Programming Interfaces (APIs) or between networks in services and the devices.
There’s also a section about data protection provisions for consumer IoT. You can access all baseline requirements in the standard.
The standard applies to various IoT devices in including:
- Connected children’s toys and baby monitors
- Connected smoke detectors, door locks, and window sensors
- IoT gateways, base stations, and hubs to which multiple devices connect
- Smart cameras, TVs and speakers
- Wearable health trackers
- Connected home automation and alarm systems, especially their gateways and hubs
- Connected appliances, such as washing machines and fridges
- Smart Home assistants.
I assume the UL IoT Security Rating System will be updated for ETSI EN 303 645 standard, but I could not find details at this point. The standard is probably optional, so you’d have to specifically look for ETSI EN 303 645 compliance on a product, but it may take a while before it happens because additional work is needed to create a complete certification scheme.