How important is IoT cybersecurity?
Smart devices are our key to the digital world. Across the globe, people love them for their convenience. But if there’s anyone who loves smart connected devices even more, it's cybercriminals. With the Internet of Things (IoT), home-assistants and other connected home appliances like refrigerators, washing machines, connected alarm systems, door locks, smoke detectors, baby monitors, and many others that bring unmatched convenience are enjoyed by more people than ever. However, these devices are often plugged into personal smartphones that store private information such as banking details, creating links into far reaching networks and attracting the attention of cybercriminals.
Individual and organizational risk
According to German online data gathering and visualization platform Statista, there will be 29 billion IoT devices worldwide by 2030. For context, the world’s population currently sits at 7.8 billion. Vulnerability within individual IoT devices can also result in collateral damage by compromising the wider connected network. The fact that 98% of IoT device traffic remains unencrypted shows that current security measures are inadequate. According to experts, 57% of such devices are vulnerable to medium or high level attacks.
Without comprehensive security protocols, every connected device becomes a potential entry point for cybercriminals. As industries such as mobile applications, consumer electronics, ecommerce, and automotives, particularly those that house highly sensitive proprietary information, adopt IoT technology, the repercussions of inadequate IoT security can be profound, not just for organizations, but even governments. It is therefore paramount that IoT cybersecurity efforts step up, starting from an individual grassroots level.
Why isn’t IoT cybersecurity being prioritized?
Despite the apparent risks, businesses are finding it difficult to adopt the zero-trust approach they need to keep their IoT networks airtight. A significant proportion of organizations remain unaware of the vulnerabilities that IoT presents, and are instead hyperfocusing on the potential convenience and short-term savings that it can bring. To keep up with this demand, innovators and manufacturers are also prioritizing features above security.
What is considered good IoT cybersecurity?
As with natural landscapes such as the sea and skies, the international cybersecurity landscape is not homogenous throughout, but one that is made up of unique infrastructures and governed by unique norms that interact dynamically with one another within each geographic region. As a result, cybersecurity protocols vary widely in effectiveness and scope across legislation. Furthermore, there is a need to continuously improve upon existing frameworks to combat cybercriminals who are constantly innovating new techniques as well.
Europe: ETSI EN 303 645
As an early-mover, the European Union has published the standard ETSI EN 303 645 for consumer IoT devices basic cybersecurity requirements. This standard was released in June 2020 and is designed to counter attacks against smart devices frequently encountered by cybersecurity experts, covering scopes that include everything from children’s toys, baby monitors, smoke detectors, door locks, smart cameras, TVs, speakers, wearable health devices, alarm systems, and even connected home appliances. From the moment consumers reach for morning breakfast in their smart fridges to after they’ve set alarms and fallen asleep, consumers should be guarded by 13 security and privacy requirements and recommendations that manufacturers are expected to implement in their products:
- No universal default passwords.
2. Implement a means to manage reports of vulnerabilities.
3. Keep software updated.
4. Securely store sensitive security parameters.
5. Communicate securely.
6. Minimize exposed attack surfaces.
7. Ensure software integrity.
8. Ensure that personal data is secure.
9. Make systems resilient to outages.
10. Examine system telemetry data.
11. Make it easy for users to delete personal data.
12. Make installation and maintenance of devices easy.
13. Validate input data.
Compliance to these basic security is part of Radio Equipment Directive (RED) requirements and also help manufacturers to comply with privacy requirements such as the General Data Protection Regulation (GDPR). Not only does ETSI EN 303 645 provide base level assurance for IoT devices, it also forms the baseline for future IoT certification schemes, such as the EU Cybersecurity Act (CSA).
Full adherence is therefore expected to be mandatory by 2025. Although the standard doesn’t provide 100% foolproof protection from every cybercrime in existence, it still helps manufacturers take a large step forward in preventing cybercriminals from launching DDoS attacks and spying on users in their homes. Today, the ETSI EN 303 645 is globally recognized today and adopted by industry experts, academics, testing institutes, and international government bodies. To harmonize with the private sector, test specification ETSI TS 103 701 was also formulated to help manufacturers, suppliers, and implementers apply approved evaluation methodologies into their processes. A new set of requirements are expected to be released by ETSI which will then replace ETSI EN 303 645 in the near future.
Plug into the interconnected future safety with GRL
Harness the power of telecom and interoperable devices to face the burgeoning challenges in the IoT networks head on. GRL’s comprehensive suite of IoT device security testing services is ran by seasoned engineers and widely recognized by reputable governments and organizations (NABL -National Accreditation Board for Testing and Calibration Laboratories) for our well-equipped facilities, highly qualified personnel and technical competence.
The materialization of your product vision is just a few steps away. Reach out for a personalized assessment of your IoT Devices based on the ETSI EN 303 645 standard, as well as tailored recommendations on testing services and solutions that will refine your manufacturing process.
About the Author
Sanjay K Sharma
Associate Director -Cybersecurity Services
Sanjay K Sharma is responsible for developing cybersecurity services and establishing evaluation facilities according to various national, international and industry standards. Supports IoT and digital-connected technologies strategy.
