21 March, 2019
The European Telecommunications Standards Institute (ETSI) has published a new standard for cybersecurity in relation to consumer IoT products. The standard builds on the UK’s Code of Practice for Consumer IoT Security, published in October last year. The Code of Practice was developed by the UK Government following publication of a draft code as part of the Secure by Design report published by the Government in March 2018 and after consultation with industry, consumer associations, and academics. The UK Code is voluntary but the UK Government was keen to work with ETSI to develop it into a global standard.
With the growing number of interconnected consumer products making their way into consumers’ homes, issues relating to cybersecurity have increasingly come under scrutiny. The standard aims to set out ‘best practice’ to ensure that products are secure by design and to make it easier for people to stay secure in a digital world. The standard is applicable to consumer IoT products, other IoT products intended for industrial applications, or healthcare are outside the scope of the standard.
The standard contains thirteen outcome-focused, rather than prescriptive, guidelines to allow companies scope for innovation in developing security solutions for their products. The standard does not seek to provide solutions to all cybersecurity issues, instead focusing on addressing the most significant and widespread issues. ETSI has also noted that adherence to the standard can help in ensuring companies are compliant with the General Data Protection Regulation (GDPR), as well as assisting with future cybersecurity certification frameworks as anticipated in the EU Cybersecurity Act and the proposed US IoT Cybersecurity Improvement Act.
Key provisions of the standard include:
- No default passwords – all devices should have a unique password and should not be resettable to a default password
- Vulnerability reporting – all companies providing connected devices and services should make available a public point of contact as part of a vulnerability disclosure policy to allow for security issues to be reported. Any reported vulnerabilities should be acted on “in a timely manner”
- Keep software updated – devices must be securely updateable and updates should be timely and not impact the functioning of the device