IT Security Label as a Framework for More Security in IoT
Tatjana Hein from eco reports on the development of a security label for IoT devices by the German Federal Office for Information Security (BSI).
The number of smart devices is increasing: Not only refrigerators, washing machines, and voice assistants are connected to the Internet, but also cars and industrial plants. With useful and intelligent functions, connected products are increasingly making our everyday lives easier. But as the number of networked devices grows, so too does the need for IT security.
Different operating systems and standards offer numerous security vulnerabilities that cybercriminals exploit. As a result, new potential targets for hackers are constantly emerging. Within a period of just 14 days, every device on the Internet of Things is exposed to several million attack attempts, according to evaluations by security researchers at AV-Test GmbH.
The voluntary IT security label for consumer IT introduced by the German Federal Office for Information Security (BSI) in 2021 was already a first step towards more security in the Internet of Things (IoT). In 2022, the BSI has now opened up the IT security label to many more categories and devices, aiming not only to further establish the label, but also to increase the security of IoT devices in the long term.
German IT Security Label
With the German IT Security Act 2.0, in May 2021 the BSI was given the task of increasing the transparency of the security features of digital products and services by means of a voluntary consumer label.
In December 2021, the BSI successfully launched the new voluntary IT security label for consumer IT. The IT security label is based on a self-test followed by a declaration by the manufacturer. It is intended to create more transparency for consumers by making easily identifiable the promises manufacturers make regarding the IT security of their products and services. As early as the beginning of February 2022, the first label was issued to an email service provider as part of the 18th German IT Security Congress. In addition to email services and routers, since May 2022 labels for five IoT product categories can also be applied for. Categories include smart cameras, smart speakers, smart cleaning and gardening robots, smart toys, and smart television products.
IT security label open for more IoT products
In September 2022, the BSI opened the application process to a wide range of IoT products and the product category is now open to most IoT and smart home products under the label “Smart Consumer Products”. This step is intended to make IT security a key factor in consumers’ purchasing decisions. The new product category is based on the established European safety standard ETSI EN 303 645. It addresses IoT devices that may pose a risk to the information security and privacy of users. To counter such threats, the standard includes several security requirements. These include secure authentication mechanisms, appropriate update management, secure storage of sensitive security parameters, and the securing of communications.
The IT security label as a model for Europe
In the future, with the IT security label Germany can certainly take on a role model function in Europe and, in the long term, globally. For this to happen, labeling must become established among German manufacturers. A large number of manufacturers need to be prepared to apply for the voluntary IT security label. Only in this way can it then also become a competitive advantage for IoT products from Germany and later also from Europe.
Mandatory certification more sensible?
Experts Olaf Pursche, Head of Marketing & Communications at Swiss IT Security Group AG, and Rainer M. Richter, Vice President Europe & Middle East at Horizon3, speaking on the “IoT Security” panel at Internet Security Days 2022, believe the IT security label and opening it up to other IoT products is a sensible way forward. However, they believe that mandatory certification of IoT products would be more successful in ensuring security in IoT. Manufacturers would then have an obligation to address the challenges of IoT security and ensure the safety of their devices.
It remains to be seen whether the IT security label will establish itself in the new product category, and thus contribute to an increase in IoT security in the long term, or whether mandatory certification might still be required.
Tatjana Hein is Project Manager IoT and Mobility at eco – Association of the Internet Industry. She is responsible for topics related to Internet of things like smart factory, smart city, smart home, and for the subject area of mobility. Before joining eco in 2020, she was content manager and creator at a European analytics provider and was also a guest author for several magazines (such as Big Data Insider, Website Boosting, UPLOAD magazine, marconomy, Contentbird). Before that she worked in an agency as public relations manager for several start-ups.