EU introduces a cyber security IoT standard to protect its citizens

June 19th 2020 EU introduced the new Cyber Security standard for Consumer Internet of Things products. Following the rapid growth in connected devices combined with the increased risks associated with insecure devices, the EU hopes the new standard will lead to better security practises and more vendors adopting a security by design principle when developing new connected consumer products.

Why this new standard?

The IoT market behaves like the wild-west. The lack of regulation, abundance of cheap technology and the promise of enormous markets and profits have evolved into a scary and unfortunate reality. Vendors of connected devices have little to no incentive to make their products secure. Technologically illiterate consumers who barely know how to configure their home router fail to use their purchasing power to command security in the products. The result is a marketplace where neither the demand nor the supply side value security. Hence, a world of highly insecure and fragile connected devices have emerged.

For some years, the EU realized potential risks following the digital revolution, and therefore decided to put forward standards to set the bar with regards to what is to be expected from connected devices. A standard is the first important step towards eventual regulation.

The new standard in brief

The EU sought to make the standard outcome oriented, as opposed to prescriptive. This allows vendors to comply without any stifling of innovation. The bar was set to establish a baseline of minimum security measures to protect against the most fundamental and elementary cyber security attacks.

The standard consists of 13 provisions. We are happy to report that our own Mender product comes with so many security features that almost half of these provisions will be covered if Mender is being used to secure an IoT device.

The 13 provisions are:

1. No universal default passwords
2. Implement a means to manage reports of vulnerabilities
3. Keep software updated
4. Securely store sensitive security parameters
5. Communicate securely
6. Minimize exposed attack surfaces
7. Ensure software integrity
8. Ensure that personal data is secure
9. Make systems resilient to outages
10. Examine system telemetry data
11. Make it easy for users to delete user data
12. Make installation and maintenance of devices easy
13. Validate input data

Each of these provisions have easy to understand and tangible sub provisions. An example would be: “Provision 5.3-1: All software components in consumer IoT devices should be securely updateable”.

Further, each sub provision comes with examples equally easy to understand and tangible. An example would be: “The first stage boot loader on a device is written once to device storage and from then on is immutable.”

Jump to page 13 in the standard to read more about each of the provisions and its sub provisions and examples.

Expected implications of the new standard

Unfortunately, this standard does not address the fundamental marketplace problem (illiterate consumers and profit seeking vendors). Consumers will remain ignorant to their insecure devices and the vendors continue to push for profit and view security as an extra unnecessary cost. Only naive politicians should expect a change in behavior following a standard like this.

The main implication of the new standard lies in its referenceable value. The EU finally has a recommended way to secure the world’s connected devices.

This standard already serves as the basis for UK’s law to require security labelling on connected devices (read more about that here).

Security auditing and consulting companies now possess a practical check-list to use in client work. By complying with the EU standard, devices will be orders of magnitude more secure than the typical IoT product of today.

If we don’t see a drastic improvement in the security of connected devices, the EU will impose regulations. When this happens this standard can be expected to form the basis for such regulation.

GDPR for IoT is one big disaster away

As mentioned above, a standard will not fix the fundamental demand-supply problem related to the security of IoT products.

Unfortunately, it seems like a big disaster following insecure IoT devices must occur before politicians step up and use their legislation sledge hammer.

Hopefully, such a big disaster comes in the form of geopolitical defense/military realizations that will not impact the life or health of humans. Worse case, somewhere in the world, we will witness some sort of critical infrastructure blow-up. Such an incident will serve as a huge wake-up call for everyone. When it happens, in the same way Facebook and social media brought us GDPR, such disaster will bring us strict IoT regulations.