Mapping IoT Security and Privacy Recommendations and Guidance to the Consumer IoT Standard ETSI EN 303 645

In 2018 we took on the task of mapping the IoT security standards and recommendations space to the UK government’s Code of Practice for Consumer IoT Security. This was done with the hopes of garnering a better understanding of the heavily fragmented space. Now that we are seeing worldwide adoption of ETSI EN 303 645, an international, European standard, we have refocused our mapping so that you can understand how different recommendations, standards and compliance schemes map to that standard.  

We are pleased to launch iotsecuritymapping.com, realigned to focus on the ETSI EN including all previously mapped documents from the existing site, including the UK Code of Practice itself (with the older versions of this work still available here). As well as the EN provision 5.1-5.13 maps and open data, there is a high-level relationship map mapping all the referenced organisations within the documents we reviewed. This provides an excellent high-level view on which organisations and material are frequently referenced. 

Once again, we’re making all the data available to use as open data as we really want to help people to use this information in their own organisations. 

Similar to our approach to the Code of Practice mapping site, we aim to update this regularly. As inevitably there were standards released during or after our research, and others we hope to include. However, for now at least, we are satisfied that this mapping helps people and organisations understand the commonalities between the numerous bodies and organisations creating standards and recommendations in this area, during a period of defragmentation and harmonisation. With legislation being pushed over the line in many countries, this is an exciting time for the space and we are hoping for even greater harmonisation than ever. The next steps for IoT security will be focused on conformance and compliance, so we’ll keep track of progress in that space too.  

Considering the Future 

Comment from David Rogers: When we tweeted about the new site, we had a comment from Art Manion “I’m concerned that IoT security will sink under the weight and complexity. Any chance of avoiding this common compliance failure?”. It’s a view and concern that we share and goes back to our original rationale for creating the site. As an aside – one of the greatest moves in the UK work was to have the Code of Practice translated into the world’s major languages. It instantly removed barriers and friction to understanding and ultimately, adoption. In this space, we started out with massive fragmentation and no real common view on how to move forward – we had some approaches which were really deeply implementation specific versus super high-level guidance and even some that said we should just educate users. There were a lot of voices however saying the same thing and I’d spoken to a lot of those people and also worked on the technologies that had already been developed in the mobile industry to tackle these issues already. Where we are now is that we do have a harmonised view, we’ve successfully defragmented in a big way such that the major regions and countries of the world are looking at only a couple of (very similar) ways forward now in the consumer IoT space. The devil however is in the detail, as companies implement these standards they will want to do so in different ways. This is perfect because the last thing we wanted to do was to stifle innovation. However, that could (in theory) make compliance processes really cumbersome and complicated – or worse – useless and not worth the paper they’re written on. There has been a lot of work to try and break this down. ETSI’s conformance work for EN 303 645 is this standard – TS 103 701. It is prescriptive to a point and crucially doesn’t ultimately rely on a decision by a company not to implement the measures via a risk assessment. A risky approach but a necessary one in my view – for too long companies have not been doing any risk assessments or threat analysis and even if they have done, they’ve missed the real threats by a country mile. We really need a new approach that is more prescriptive in the short term. If this evolves over time beyond these baseline measures, I have no problem with that, but it is an effective solution for the problems we face today and in the near-term. Another final thing is that we haven’t bitten off more than we can chew when it comes to being tempted into looking at other IoT verticals such as industrial which has a lot of existing standards and safety concerns. 

There is no doubt we’ll get some edge cases. I’ve had to think about them a lot – in fact I painfully missed out on a day’s skiing on holiday while diving deep into the Bluetooth specifications and thinking about Smart TV child locks, while trying to find a way through the ‘default credentials’ problem. None of this stuff is easy, but I don’t think we need to be afraid of playing hard ball on the basics. We’ve had a few decades of this stuff not being designed properly and we have technical solutions that can fix those. 

Visit the new site here