ETSI issues new Internet of Things cybersecurity standard

March 7, 2019

The  European Telecommunications Standards Institute (ETSI) Technical Committee on Cyber-Security has issued the ETSI industry standard on internet-connected consumer devices. The standard is based on the UK Government’s Code of Practice, which was launched in October 2018 and provided guidance for consumers on how they can help set up and manage their smart devices to improve their safety and protect their personal information). It is the first such industry standard to apply globally to such devices as:

  • connected children’s toys and baby monitors;
  • connected safety-relevant products such as smoke detectors and door locks;
  • smart cameras, TVs and speakers;
  • wearable health trackers;
  • connected home automation and alarm systems;
  • connected appliances (e.g. washing machines, fridges); and
  • smart home assistants. 

The ETSI Technical Specification TS 103.645 brings together what is widely considered to be good practice in consumer IoT security and builds on the Code of Practice but has been designed to work for European and wider global needs. It establishes a security baseline for internet-connected products and provides a basis for future IoT certification schemes, setting out detail under twelve broader points:

  • avoiding the use of universal default passwords
  • implementing a means to manage reports of vulnerabilities
  • keeping software updated 
  • securely storing credentials and security-sensitive data
  • communicating securely
  • minimising exposed attack surfaces
  • ensuring software integrity
  • protecting personal data
  • ensuring systems are resilient to outages
  • examining system telemetry data
  • easy means for consumers to delete personal data
  • easy installation and maintenance of devices
  • validation of input data