Connected consumer products are now an integral part of everyday life but the evolution of this technology has been so fast that security considerations have not kept pace. Security assurance within the supply chain is an extremely important element in the overall process of improving security in the IoT. Standard security requirements are still a long way from being adopted and enforced but represent a fundamental way to validate the statements of individual companies within the ecosystem and provide a critical part of the framework of trust between organisations. Security assurance is a way of verifying the requirements and rules and providing the confidence that a particular device complies with those rules.
Standards must be maintained
Many standards already exist for security across a range of Internet-connected consumer devices, covering hardware and software. However, the most prominent in the IoT space is ETSI EN 303 645, which is a European standard for IoT security in Internet-connected consumer products.
Over the past 40 years, the result of not doing anything, or doing very little, with regards to security has seen many applications compromised, leading to a real impact on every-day life. In the IoT space, for example, cyber physical devices, such as door locks, can be compromised by allowing unauthorised access to a building, or a smart thermostat can be hacked to disrupt the operation at a temperature sensitive facility. So, this becomes more than just an issue with the security of data, but physically manifests as a real-world problem and can even put human safety at risk.
Without vigilance and rigorous security, seemingly harmless products can be taken over and used to cause harm. One well documented example of this was the case of the Mirai Botnet in 2016. Threats such as this are a serious concern to Governments and corporations around the world. Many of the issues come from basic flaws in security design for which the fixes are well known.
Work on connected product security has been ongoing for several years, with much of the effort led by the industry, and there has been a proliferation of recommendations and proto standards. While there is significant fragmentation there is also alignment in the key areas on what action is required. ETSI EN 303 645 is the culmination of much of the work to decide what is needed in terms of security at a foundational level. Going forward there will be even better alignment, as we see other regions and countries adopting existing work, positioning their policy and their own guidelines. From a regional perspective, there are not that many differences. Each government has the same concerns over the safety and security of its citizens, so IoT security is one area where there is clear global alignment on what needs doing.
Security across markets and supply chain
There are now many similarities between consumer and industrial connected goods. We see overlap and merging within the different spaces. For example, CCTV cameras, audio and communications technology deployed in commercial settings use elements that are also found in the home. This is mainly due to cost; if mass market equipment is functional and just about secure, why not use it in the enterprise as well? So, there is a blurring of lines when it comes to basic level security requirements. However, we will start to see some countries adopting a set of derivative specifications for sectors, such as the medical device industry, and these will have specific requirements related to regulation. There will be clear commonalities in terms of security and safety across all vertical industries.
Supply chain security is critical to telecom networks and to connected devices themselves. Validating hardware and software at each stage of the supply chain provides assurance with regards to the quality of the product and the processes by which it was created. With a robust security assurance programme, companies can create the solid foundations of a secure, trusted supply chain.
The roll out of 5G services will result in a massive increase in the number of IoT endpoints and, from a hacker’s viewpoint, an enormous increase in the potential attack surface that can be targeted. As communications technology has become an essential element in sectors as diverse as agriculture and energy supply, ensuring its security is now paramount. Consequently, much time and effort has been focused on guaranteeing the resilience of 5G infrastructure and the integrity and privacy of the data it carries, including by the use network slicing to separate sectors. Now attention must be turned to the consumer owned endpoints that have not enjoyed the same level of scrutiny up to this point.
Addressing the challenge
Organisations such as Global Certification Forum (GCF) are working to put security at the top of the agenda throughout the supply chain. The GCF recently launched a self-accreditation initiative to ensure consumer IoT devices comply with the requirements specified by the industry. Based on the ETSI EN 303 645 standard’s top three security provisions, the programme is taking a first step at tackling the key security issues flagged by consumer products. GCF is also investigating, as a second phase, further expansion of the requirements, and utilising third party testing to ensure compliance. The programme is market driven, so any organisations that are interested in collaborating and getting involved in shaping the future of standards and regulation in the consumer connected products market should get in contact
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.