ETSI, a European Standards Organization (ESO), recently published the first globally applicable standard for the security of the Internet of Things. The ETSI Technical Committee on Cybersecurity (TC CYBER) has published ETSI TS 103 645, an IoT cybersecurity standard that establishes a security foundation for IoT devices for consumers and industry. In addition, this standard will serve as the basis for future IoT certification systems. Among the objects concerned are “connected toys and monitors for babies, safety-related products such as smoke detectors and door locks, smart cameras, televisions and loudspeakers, connected health devices, connected home automation and alarm systems or intelligent home assistants“.
The benefits of IoT depend on the realization of products and services that must be designed with confidence, confidentiality and integrated security. This standard addresses these challenges and highlights the technical and organizational controls that have a key role in “addressing significant and widespread safety deficiencies“. In particular, the specification requires developers not to use universal passwords by default. In addition, a vulnerability disclosure policy should be put in place to allow researchers and others to report security issues.
According to Luis Jorge Romero, Director General of ETSI, overall, these specifications are results-oriented rather than rules-based, which can give organizations the opportunity to innovate and “implement security solutions adapted to their products“. Finally, this standard will ensure that IoT devices – which process and store personal data – comply with the GDPR.