ETSI’s standard to secure consumer IoT devices extended to Home Gateways
ETSI is pleased to announce a cyber security specification for Home Gateways, called ETSI TS 103 848 and developed by the CYBER Technical Committee.
Adapted from the provisions of the standard to secure consumer IoT devices, EN 303 645, this technical specification will secure physical devices between the in-home network and the public network, as well as the traffic between these networks.
The Home Gateway (HG) is connected, on one side, to the Internet service provider’s network and, on the other side, to the user's Local Area Network (LAN). On the Internet service provider’s network side, the HG is exposed to other risks and attacks from a consumer IoT device. The committee has therefore added provisions to ETSI EN 303 645.
“Home Gateways are the first line of security defence for connected IoT and other home devices. While a secure home gateway does not remove the need for strong security of local devices connected to the gateway, it can provide protection against vulnerability for legacy devices or for those devices that cannot otherwise be secured. A secure HG is therefore a key security layer of the connected home”, said Alex Leadbeater, Chair of the ETSI CYBER TC.
A guide to implement cyber security for the consumer IoT
To help manufacturers and other stakeholders, the ETSI CYBER technical committee has also released a Technical Report, ETSI TR 103 621, to provide guidance to implement the provisions in ETSI EN 303 645. The report comes in the form of a catalogue of examples illustrating possible solutions. The intention is to help implementers better understand how each provision can be met. For instance, to change the default password, an example states “the consumer IoT device password for the factory default state is printed on a sticker under the device casing. During the initialisation phase, the user is requested to provide a new password and the procedure cannot be completed without the new password being different from the default state password.”.
ETSI EN 303 645, a European standard, is being implemented on a global scale on a variety of consumer devices, smart appliances and the like. The 13 cyber security requirements, as well as the data protection requirements of the EN, provide the baseline security requirements for all consumer IoT devices. They also provide a basis for creating new standards referring to specific consumer IoT devices in vertical sectors. The first related standard addressed smartphones and was released at the end of last year, and the next one will focus on smart door locks.
To help develop other vertical standards, ETSI has created a template providing a structured way to extend ETSI EN 303 645 into a vertical domain, with adapted or new provisions for cyber security and data protection.
In a world where IoT devices are in every room of our households, measures to secure them and protect citizens from malicious attacks are of the essence. The ETSI European consumer cyber security standard is supplemented by a test specification to help manufacturers pass certification schemes, a guide to facilitate implementation and a template to better develop future vertical standards, within the committee or other standardization bodies. ETSI EN 303 645 is one of the best examples of a standard made in Europe for global use.