David Rogers writes about the launch of the specification: ‘Cyber Security for Consumer Internet of Things’ from ETSI’s TC Cyber group.
Today the European Telecommunications Standards Institute (ETSI) announced the publication of their ETSI Technical Specification, TS 103 645 (pdf).
This work builds on the UK Code of Practice for IoT Security and has had input from experts around the world. It is great that this work has been elevated up to European level and published as a standard. This means a much wider technical audience and crucially, official endorsement at European level by companies and governments.
The discussions during the specification development were very rational and it also meant that some of the supporting text were promoted into provisions within the specification, making the overall work stronger. For example, wording that could be considered ambiguous from a technical standpoint has been clarified and considered at length by me and others. This means that whilst we still see this as a high level specification, we’ve also tried to further pin down what we’re trying to say, all whilst trying to ensure that we avoid unintended consequences and companies deliberately trying to avoid putting security into their products via loopholes.
These efforts will continue. During the specification process, there were some really good proposals brought forward on some deep technical aspects about IoT security and privacy that we see as being potential spin-off work items in ETSI – I’m keeping track of what those topics were. There are also things that some of us would like to bring into the Code of Practice for future revisions, such as consideration by manufacturers of issues such as coercive or controlling behaviour which can be compounded by IoT in the home. All these things are for the future, but the great thing is the enthusiasm is there from some brilliant minds both in government and industry, so watch this space!
The IoT Security Mapping site has also been updated to reflect how the ETSI specification maps to the UK Code of Practice in order to help implementers understand how it all fits together, including against other recommendations and specifications from around the world.
The UK’s work on consumer IoT security and privacy, led by the Department for Digital, Culture, Media & Sport (DCMS) has been continuing since the publication of its work on Secure by Design and the Code of Practice for Consumer IoT Security went out for public comment in March 2018. Our team has been working on mapping IoT security and privacy guidance to the Code of Practice and we’re now launching https://iotsecuritymapping.uk to support the initiative, including hosting open data files with all the various mappings contained within.
We believe this is going to be really helpful for so many companies and organisations involved in IoT. It will help to defragment the standards space and it will help companies to understand how to improve security by telling them which recommendations facilitate implementation of the UK’s Code of Practice.
Copper Horse’s CEO, David Rogers had a chat with Rocco’s Jason Bryan for the Rocco Radio Newsdesk about the launch of the UK government’s Secure by Design report and the Code of Practice on IoT security. The government’s Secure by Design report is available here.
To listen, click the player below:
The podcast covers a range of topics including:
the UK government’s work to protect UK consumers:
how work from the mobile industry can be carried over into the IoT world.
what circumstances and threats led to the work being created?
the thinking behind the work
what other standards bodies and organisations are doing in the IoT security space
discussing the details of the Code of Practice including vulnerability disclosure, software updates and eliminating default passwords.
the implications of security attacks on network operators
machine-to-machine and IoT concerns
identifying insecure products and what “insecurity canaries” are
product labelling and future smart approaches to digital labelling
the use of digital certificates and the challenges of counterfeiting
certification of devices including those with embedded SIMs and how that might work
regulation and what might happen in the future
safety in IoT and the future risks of death
signalling storms, resilience and future attacks on network operators
SLAs in business relationships between network operators to guarantee safety in IoT
Why smaller network operators need to pay attention to IoT security
If you’re interested in learning more about IoT security, we run an IoT security training programme which is led by David. Click on the link below for more details: