With all the concern about data privacy and data safety today, IoT manufacturers have to up their game if they want to maintain consumer trust. Thankfully, the ETSI EN 303 645 cybersecurity standard for IoT devices ensures consumer data safety and gives manufacturers a way to prove their compliance. What exactly is this standard and just how important is it?
What is the ETSI EN 303 645?
ETSI EN 303 645 is a standard and a method by which a certifying authority can evaluate IoT device security. Developed as an internationally applicable standard, ETSI gives manufacturers a baseline for security rather than a comprehensive set of precise guidelines. The standard may also lay the groundwork for various future IoT cybersecurity certifications in the U.S., EU, and around the world.
Why is ETSI EN 303 645 Important in IoT?
Shockingly, a single home filled with smart devices could experience as many as 12,000 cyber attacks in a single week. While most of those cyber attacks will fail, the sheer number means some inevitably get through. ETSI EN 303 645 strives to keep those attacks out with basic security measures, many of which should already be common sense, but unfortunately aren’t always in place today.
For example, one of the basic requirements of the ETSI standard is no universal default passwords. In other words, your fitness tracker shouldn’t have the same default password as every other fitness tracker of that brand on the market. Your smart security camera shouldn’t have a default password that anyone who owns a similar camera could exploit. It seems like that would be common sense for IoT manufacturers, but there have been plenty of breaches that occurred simply because individuals didn’t know to change the default passwords on their devices.
Another basic requirement of ETSI is allowing individuals to delete their own data. In other words, the user has control over the data a company stores about them. Again, this is pretty standard stuff in the privacy world, particularly in light of GDPR and CCPA, yet it’s not a universal requirement for IoT devices. Considering how much health- and fitness-related data many of these devices collect, consumer data privacy needs to be more of a priority.
Several more rules in ETSI have to do with the software installed on such devices and how the provider manages security for the software. For example, there needs to be a system for reporting vulnerabilities. The provider needs to keep the software up to date and ensure software integrity. We would naturally expect these kinds of security measures for nearly any software we use, so the standard is basically just a minimum for data protection in IoT.
What Devices Does ETSI EN 303 645 Cover?
The ETSI standard covers pretty much everything that could be considered a smart device, including wearables, smart TVs and cameras, smart home assistants, smart appliances, and more. The standard also applies to connected gateways, hubs, and base stations. In other words, it covers the centralized access point for all of the various devices.
Why Should You Implement ETSI EN 303 645 Requirements?
Just how important is the security standard? Many companies are losing customers today due to lack of consumer trust. There are so many stories of big companies like Google and Amazon failing to adequately protect user data, and IoT in particular has been in the crosshairs multiple times due to privacy concerns. An IoT manufacturer that doesn’t want to lose business, face fines and lawsuits, and damage the company reputation should consider implementing the ETSI standard as a matter of course.
After all, these days a given home might have as many as 16 connected devices, each an entry point into the home network. A company might have one laptop per employee but two, three, or more other smart devices per employee. And again, each smart device is a point of entry for malicious hackers. Without a comprehensive cybersecurity standard like ETSI EN 303 645, people who own unprotected IoT devices need to worry about identity theft, ransomware attacks, data loss, and much more.
How to Test and Certify Your Product Based on ETSI EN 303 645
Certification is fairly basic and occurs in five basic steps.
- Manufacturers have to understand the 33 requirements and 35 recommendations of the ETSI standard and design devices accordingly.
- Manufacturers also have to buy an IoT platform that has been built with the ETSI standard in mind, since the standard will fundamentally influence the way the devices are produced and how they operate within the platform.
- Next, any IoT manufacturer trying to meet the ETSI standard has to fill out documents that provide information for device evaluation. The first document is the Implementation Conformance Statement, which shows which requirements and recommendations the IoT device does or doesn’t meet. The second is the Implementation eXtra Information for Testing, which provides design details for testing.
- A testing provider will next evaluate and test the product based on the two documents and give a report.
- The testing provider will provide a seal or other indication that the product is ETSI EN 303 645-compliant.
The ETSI EN 303 645 standard is important, but it is not enough by itself to help companies keep consumers safe from data breaches and give them more control over their data. Still, as cybersecurity for IoT continues to become even more important, the standard can provide a basis for stricter device security certifications and measures in the future.
Read Our Other Resources
We’ve also published a range of IoT device resources for our community, including:
- Our guide for how you can overcome IoT security and privacy challenges here: https://www.nabto.com/how-overcome-iot-security-privacy-challenges/
- The advantages of P2P connectivity for more secure IoT systems: https://www.nabto.com/security-in-nabto-p2p-iot-solutions/
- Best practices for IoT data security: https://www.nabto.com/5-best-practices-cloud-iot-security/