ETSI EN 303 645 – a new global security standard for consumer IoT devices?
In June 2021, the Technical Committee on Cybersecurity [TC CYBER] for the European Telecommunications Standards Institute [ETSI] – the body responsible for producing telecoms standards throughout Europe – unveiled ETSI EN* 303 645.
Designed to be globally applicable, this establishes a new cybersecurity standard for Internet of Things [IoT]-connected consumer devices and provides a basis for future IoT certification schemes. It achieves this by creating a ‘protection profile’ – a minimal, baseline set of requirements targeted at mitigating well-defined and described threats – for particular device types.
This allows other regulatory bodies to build their own certification schemes to validate devices against these profiles, ensuring that consumers are given the best possible protection against potential threats.
The EN was introduced to prevent large-scale, prevalent attacks from being made against smart devices – a daily occurrence that is becoming increasingly common. This is illustrated by research from Kapersky, which reveals that over 1.5 billion attacks against IoT devices were detected in the first half of 2021. Furthermore, the number of attacks has recently increased by over 100%.
As the use of IoT devices grows throughout the world – with 75.44 billion devices set to be deployed by 2025 – so too does the threat of attacks aimed at stealing users’ personal data. There is broad agreement on the need for IoT certification, but adoption is impeded by the roughly 500 different IoT product requirement frameworks worldwide. The diversity of regulations means that there is currently no single global standard for ensuring the cybersecurity of consumer IoT devices – but ETSI’s EN could change this.
What impact is ETSI EN 303 645 having?
ETSI EN 303 645 is significant. It is redefining standards for security across a broad range of IoT devices. For example, the standard specifies the security requirements that consumer mobile devices must meet, ensuring that key user data – such as photos, videos, user location, emails, SMS, calls, passwords for web services, and fitness-related data – are all protected.
In addition, the standard has a broad coverage of security features. These include cryptographic support, user data protection, identification and authentication, security management, privacy protection, resistance to physical attacks, secure boot, and trusted communication channels.
This is only a snapshot of what the EN is truly capable of delivering to IoT consumers across the world. However, the task of rolling it out globally is obstructed because certain regions of the world have regulations in place that are not aligned with the standard.
How do regulations differ around the world?
The way that IoT cybersecurity regulations vary on an international level can be compared to driving tests. At their core, driving tests are all designed to do the same thing – to assess a person’s driving ability. However, the requirements that drivers must meet differ depending on the country where they take their test.
For example, 15 countries around the world – such as Norway, Hungary, and Austria – include mandatory first aid training for learners, while in other nations, e.g., Thailand, drivers are required to prove that they are not colourblind. This is far removed from the requirements expected in places like the UK and Japan, which are more directly related to driving ability and knowledge.
However, both are ranked as two of the hardest theory tests to pass. This is similar to IoT security in that all regulations are aimed at protecting consumers and their devices. Despite this, the requirements that must be met differ from country to country and may be stricter in certain places than others.
Although requirements vary, support for the standard has been strong in places, with many countries introducing regulations based on the standard. These include the UK’s ‘Product Security and Telecommunications Infrastructure [PSTI]’, India’s ‘Code of Practice: Consumer IoT’ and Australia’s ‘Code of Practice’.
Additionally, a wide range of nations across the European Union [EU] has established their own regulations based on the EN. However, in places like Canada, the United States, Brazil, and China, compliance with ETSI EN 303 645 is not a requirement, and IoT Original Equipment Manufacturers [OEMs] are required to meet national or regional regulations.
Despite this, in virtually all cases, the standard could be used to comply with existing regulations. Moreover, because ETSI EN 303 645 provides a security baseline, regional changes can be added on top of current requirements, rather than being replaced.
As such, regulators should recognise that it is the common good of both consumers and OEMs that ETSI EN 303 645 becomes a global standard. Not only would this ensure that the same level of protection is provided to all IoT consumers worldwide, but it would also enhance user confidence and trust.
It would also ensure that when consumers use IoT services that span countries or regions, there is always a basic level of protection. As a result, the task of compliance would be made far easier for OEMs, who could then reduce the complexity of their software to support multiple regional requirements.
GlobalPlatform & SESIP
To establish ETSI EN 303 645 as a global standard, technical standards organisations are making considerable efforts to support certification bodies in establishing their own IoT device security certification schemes that are compatible with it. GlobalPlatform, for example, is assisting certification bodies in achieving this goal by adopting the Security Evaluation Standard for IoT Platforms [SESIP] methodology, which is one of the ‘ETSI compatible’ schemes.
The SESIP methodology enables security evaluations to be performed in both a cost and time-effective manner, and is specifically designed for IoT platforms and components. The combination of its simple language for expressing security functional requirements, applicability to an IoT threat model, and user-friendliness make SESIP an easy-to-use evaluation methodology.
How Trustonic is helping
At Trustonic, we welcome the move towards standardisation that ETSI EN 303 645 has brought.
As a show of our commitment to meeting the cybersecurity requirements of ETSI, our clients and consumers, we have placed some of our relevant IoT cybersecurity products through SESIP certification. This includes our Kinibi—M ‘micro’ Trusted Execution Environment [TEE], the first TEE for ‘Machine-Class’ Arm architectures focused specifically on IoT.
In adopting SESIP, we ensure that our products meet the specific compliance, security, privacy, and scalability challenges of the evolving IoT ecosystem. With Kinibi-M, our customers can have confidence that the product they have invested in has undergone rigorous testing, and is fully compliant with ETSI EN 303 645.
ETSI is working to tackle the huge diversity in IoT devices, and the need for lightweight certification to encourage adoption. Our core product, Kinibi, has been certified using a more mature and heavyweight Common Criteria process, with a protection profile defined by GlobalPlatform to a certification of Evaluation Assurance Level [EAL] 5+.
This means that a third-party assessor has measured it against an agreed protection profile. The numerical level assigned to a product indicates the extent to which it has been tested and what assurance requirements it has met, with EAL5+ being the highest for any TEE operating system.
Kinibi-510a provides users with enhanced security and debuggability, as well as support for the latest Arm architectures and Motor Industry Software Reliability Association [MISRA] policies. Through this, we are working with silicon provider partners to integrate this recent version of our TEE so that manufacturers can begin to build their devices using Kinibi-510a.
Our Software Development Kit [SDK] has enabled a wide range of third parties to develop support for Kinibi, providing device manufacturers with a wide range of options, from sensor support to Trusted Applications. We hope that, through these efforts and those of organisations, we can finally move towards ETSI EN 303 645 becoming the global standard for consumer IoT devices.
*EN stands for European Standard