On February 19, the European Telecommunications Standards Institute (ETSI) published the ETSI TS 103 645 V1.1.1 — or more simply, a high-level outcome-focused standard (PDF) for cybersecurity in the consumer-oriented Internet of Things (IoT).
ETSI is an independent not-for-profit standards organization based in France with 800 members in 66 countries across the world. It is one of just three bodies officially recognized by the EU as a European Standards Organization (ESO).
The hope of the new standard is that it will provide the basis for future IoT certification schemes designed to prevent the loss of users’ personal data in breach of GDPR, and the recruitment of consumer IoT devices into botnets (think Mirai) used to DDoS corporations.
The cybersecurity provisions are provided in section 4 of the standard. There are thirteen in total, some being simple statements and others comprising multiple subsections. For example, the total of provision 4.1 requires little more than its heading: “No universal default passwords.”
Provision 4.3 (“Keep software updated”), however, has nine subsections. 4.3.8, as an example, demands: “For constrained devices that cannot have their software updated, the product should be isolable and the hardware replaceable.”
The remaining eleven provisions at their highest level are, manage vulnerability reports; securely store security-sensitive data; communicate securely; minimize attack surfaces; ensure software integrity; protect personal data; be resilient to outages; make use of telemetry data; allow users to delete personal data; make installation and maintenance easy; and validate input data. Most provisions then have multiple sub-sections providing more detailed specifications.
There can be little doubt that manufacturers’ adherence to this standard would lead to a more secure IoT. But there is a common belief that if a standard isn’t required, it won’t be adopted. Without enforcement, the danger is that the ETSI standard is little more than a list of best practices that are already well-known within the industry. The question is not whether the standard is good — it is — but whether it will be used. Without enforcement, the danger is that the commercial pressures of speed-to-market will continue to suppress best practice and security-by-design in IoT device manufacture.
Fausto Oliveira, principal security architect at Acceptto, believes that lack of enforcement may be problematic. “ETSI is a respected standards body that does not have legal power to enforce standards,” he told SecurityWeek. “Therefore, the real question is will any of the EU member states adopt legislation that would make this standard mandatory? Only time can tell if this standard will be adopted into law.”
There is, however, a mechanism that could effectively make the standard enforceable in Europe and wider without new legislation. If the European regulators individually — but better collectively under the aegis of the European Data Protection Board — provide advice to IoT manufacturers that the ETSI standard will be taken into consideration in any GDPR action against those manufacturers, then conformance will be a way of complying with GDPR.
GDPR compliance was certainly top-of-mind in developing the standard. In its announcement, ETSI commented, “As many IoT devices and services process and store personal data, this specification can help ensure that these are compliant with the General Data Protection Regulation (GDPR).”
“Weíve already seen consumer devices pulled from the shelves or online stores in the EU due to privacy concerns, and this will help manufacturers avoid such a fate in the future,” adds David Ginsburg, VP of marketing at Cavirin. Earlier this month, the European Commission ordered the recall of a children’s smart watch manufactured in Germany, saying, “the watch has unencrypted communications with its backend server and the server enables unauthenticated access to data.”
The underlying question with the ETSI standard is whether it can stand on its own without actual legislative support. One possible route is by reference, and NIST is an example. NIST guidelines do not have legal weight outside of government departments and agencies — nevertheless, its guidelines are often referenced within legislation, giving them the weight of law.
“Remember that any regulations need some “source of truthí as a baseline, and this will fulfill that role,” explains Ginsburg. “If we look at California, the planned consumer IoT law (SB-327 – Information privacy: connected devices) calls for many of the same protections, but the ability to reference something like what ETSI has published would make it more rigorous.î
The closest parallel that Europe has to NIST is ENISA. ENISA has already published a far more demanding IoT document: “Baseline Security Recommendations for IoT in the context of Critical Information Infrastructures”. ENISA is also likely to play an important part in the future of the ETSI standard. The EU’s Cybersecurity Act now only requires formal adoption by the European Parliament (starting in March 2019) and the agreement of the Council of the EU before becoming law. Part of that law will establish ENISA as the EU certification body. It needs only develop an official certification for the ETSI standard to ensure its future.
ETSI states in its announcement that its standard is designed “to establish a security baseline for internet-connected consumer products and provide a basis for future IoT certification schemes.”
There will still be difficulties. As Oliveira notes, “If it is a self-certification scheme then it becomes a paper exercise; on the other hand, if it requires access to source code in order to achieve certification, I imagine that there will be a great degree of opposition from businesses.”
ETSI’s standard is aimed at consumer IoT, while ENISA’s existing recommendations are aimed at critical infrastructure IoT. The basic principles of secure design, manufacture and use will be common to both areas. The strength of ETSI’s document is that it is eminently approachable and easy to understand. Whether or not it ever gains any legislative force or reference, it is a valuable central source for best practices.