Security by Design – New Security Testing Standard for IoT Devices

Whether it’s a door lock, a power socket or a heating system, according to Statista there are around 50 billion IoT devices in use. Broken down, this means almost 7 devices per person, globally. There is no lack of variants and intelligent functions, however there is often a lack of security. Crammed with sensors and wireless interfaces, these devices nevertheless allow data security and the protection of user data in particular to fall by the wayside.

Having a range of different security levels, and often being used in security-critical positions, this causes confusion and perplexity on the part of both manufacturers and users.

In the past, a range of attacks have demonstrated the vulnerability of IoT devices. The Mirai case made headlines back in 2016. Mirai exploits smart everyday objects, such as routers, smart TVs or surveillance systems. It scans the network for vulnerabilities in factory-installed operating software on these devices, and then attempts to upload malicious code to them.

Following from this, a new variant of Mirai emerged in 2019, primarily targeting IoT devices within companies.

With such attacks and the growing number of IoT devices being launched each year, the question for manufacturers and users alike is how to protect devices from attacks and how to prevent any security vulnerabilities from occurring in the first place.

A uniform security assessment specification, EN 303 645, is now to help in this respect. The standard defines mandatory security requirements and recommendations, test standards, and certification schemes.

The assessment specification addresses all connected consumer IoT devices, from smart TVs to heating systems, with the objective of establishing security by design/by default. Different areas are covered, such as:

• Authentication
• Software update mechanisms
• Secure communication
• Data protection

This is intended to ensure uniformity of security standards, especially in the European market.

Building on EN 303 645, the conformance assessment 103 701 is also being developed, which extends the standard to include test cases. The aim is to introduce a harmonized assessment procedure and uniform label in Europe. The conformance specification serves as a framework for the assessment of conformity with the new standard.  

Currently, the document for TS 103 701 is still in the comment phase until the end of April and can be extended to include suggestions.

The activities at European level are being followed by the planned German pilot project “IT Security Label”. This labeling is intended to inform consumers about the security features of a product or service. Products and services are then labeled based on a manufacturer’s declaration that security requirements are met.

The legal basis and framework at national level for this indicator is to be provided by the forthcoming German IT Security Act 2.0. On the part of the German Federal Office for Information Security (BSI), the products and services with IT security labels are to be regularly tested to verify that the requirements are actually met.

The approaches and planned developments are desirable and certainly go in the right direction, because uniform security requirements, recommendations, tests, and seals are important and provide more transparency, especially for consumers.

However, some questions remain open, especially with regard to the introduction and implementation of the label. These questions were discussed recently at a joint eco roundtable of the IoT and security competence groups. Here, five points crystallized out of the virtual discussion, which was held with the BSI and eco members with different focuses and from a variety of sectors. These points are important and should be carefully considered: 

It must be ensured that the certification measures that have already become established do not fall by the wayside as a result of the new standard and the planned IT security label. Providers must be more involved in the process in order to create transparent solutions for consumers and, in the end, to achieve the goal of a clear and uniform assessment standard rather than creating greater uncertainty.

The IT security label for Germany must be comprehensible for both manufacturers and consumers, and must also establish itself on the market. It must not be developed in a way that bypasses actual practice. Because only in this way can the seal also act as a competitive advantage and give users a sense of security when buying IoT devices.

Especially in view of the German national IT security label, inspections and tests of IoT devices must be carried out by independent testing bodies for the specified security requirements. After all, this is the way to ensure transparency for consumers and to guarantee the value of the label and the actual fulfillment of security standards. Only in this way can confidence in the label be strengthened on the manufacturer and user side.

It is important that security is considered from the very outset, already incorporated in the development of IoT devices, and is also guaranteed in the long term with appropriate updates. This aspect must take on a strong focus particularly in the testing of products and services. The security by design concept must be brought to the fore more strongly in terms of processes. Because only if security is considered from the very beginning and throughout the entire life cycle of products can it also be guaranteed for the consumer.

The sustainability of IoT devices can be another important issue in this context. With the availability of security updates and the possibility of bug fixes for a much longer period than is currently the case with many devices, devices do not have to be scrapped so early. Old devices would no longer pose a security risk, and consumers would be able to use their devices much longer and, above all, securely. Thus, security by design pays huge dividends in the sustainability of IoT devices.

Even though the EN 303 645 standard, TS 109 701, and the German IT security label are the right approach, it remains to be seen how they will be implemented and applied in practice on the market. The relevant documents are still in the process of being agreed upon. They can be viewed and commented on under the following link before ratification is expected in mid-2021.    

Tatjana Hein is Project Manager IoT and AI at eco – Association of the Internet Industry. She is responsible for topics related to Internet of things like smart factory, smart city, and smart home, as well as mobility issues. Before joining eco in 2020, she was content manager and creator at a European analytics provider and was also a guest author for several magazines (such as Big Data Insider, Website Boosting, UPLOAD magazine, marconomy, Contentbird). Before that she worked in an agency as public relations manager for several start-ups.

Cornelia Schildt completed a Diploma in Informatics at the TU Chemnitz and worked for the German Federal Office for Information Security (BSI) as a specialist for Internet security for 5 years, before she joined eco – Association of the Internet Industry in 2011 as a Project Leader in the area of IT security. Since then, she has organized the annual Internet Security Days with international guests, and is Program Manager for a range of security initiatives to train SMEs in the secure use of the Internet and related services. She represents eco as a speaker on IT security topics and in a range of committees.