In February 2019, the European Telecommunications Standards Institute (ETSI) published ETSI TS 103 645 V1.1.1 —a high-level outcome-focused standard for the security of internet-connected consumer products or Internet of Things (IoT) devices. IoT devices covered by the new standard include connected children’s toys and baby monitors; IoT-enabled smoke detectors and door locks; smart cameras; TVs and speakers; wearable health trackers; connected home automation and alarm systems; and connected appliances.
ETSI and the New Standard
ETSI is an independent not-for-profit standards organization based in France with about 800 members in over 60 countries across the world and is a European Standards Organization (ESO).
ETSI’s standard is primarily aimed at consumer IoT, and is designed “to establish a security baseline for internet-connected consumer products and provide a basis for future IoT certification schemes.” Weak security of connected products threaten consumer privacy and allow devices to be exploited to launch large-scale DDoS (Distributed Denial of Service) cyber-attacks. Furthermore, in its announcement, ETSI stated, “As many IoT devices and services process and store personal data, this specification can help ensure that these are compliant with the General Data Protection Regulation (GDPR).”
The standard identifies thirteen areas for IoT security. These include: no universal default passwords; manage vulnerability reports; keep software updated; securely store credentials and security-sensitive data; communicate securely; minimize attack surfaces; ensure software integrity; protect personal data; be resilient to outages; examine system telemetry data; make it easy for users to delete personal data; make installation and maintenance easy; and validate input data.
ETSI’s Technical Specification
The complete technical specification of ETSI TS 103 645 V1.1.1 can be found here.