IoT device standard challenges

The European Union’s Cybersecurity Act – Regulation 2019/881 – is already in place and it has two main objectives. Firstly, strengthening the mandate of the EU Agency for Cybersecurity (ENISA), which contributes to cyber policy; enhances the trustworthiness of products, services, operational co-operation; and promotes knowledge. Secondly, it aims to establish an EU-wide cybersecurity framework.

In Europe, it has recently been announced that Articles 3.3(d)(e) & (f) of the Radio Equipment Directive have been cited in the Official Journal (OJEC), paving the way for further cybersecurity standardization. While this is currently being reviewed, the most likely approach is that a number of generic standards will be produced, with supplemental product-specific standards which would cover protection of the network, data privacy and protection from fraud.

However, there are two important documents currently available, which specifically relate to IoT devices. The first is a guidelines document NIST.IR 8259 (US) and the other, ETSI Standard EN 303 645 (EU).

The EN 303 645 covers consumer products, whereas the scope of NIST.IR 8259 is not confined to consumer products so its general principles can be applied to help demonstrate a baseline of cyber security protection for any IoT product.

Although further standards are still in development, assessment can be performed using the EN 303 645 standard. An accompanying document, TS 103 701, provides a test methodology to be used. However, the portfolio of standards is likely to increase.

Now that the UK has left the EU, it is preparing new legislation derived from the EN 303 645 standard, and this is strengthened by the recent introduction of the Product Security and Telecommunications Infrastructure Bill (PSTI), which is likely to initially be limited to three security requirements:

• A ban on universal default passwords in consumer smart products.
• The implementation of means to manage reports of vulnerabilities.
• Transparency as to how long a product will receive security updates.

There are other existing standards aimed at improving security for network infrastructure and associated devices. For example, it is possible that an industrial IoT device or system could be certified under the IEC 62443 series of standards, as part of a larger installation. This standard series addresses security for industrial automation and control systems (IACS).

Gaps in coverage

Although there are still many gaps in the cybersecurity standards coverage, the existing ones do at least offer a first line of defense from cyberattack. However, machinery manufacturers should also consider their own cybersecurity programs as there are other options outside the present standards landscape. This includes more stringent, bespoke testing or ‘penetration testing’ and the necessity to think ‘secure by design’ from the onset and take a proactive approach to cybersecurity by recognizing attacks are “when, not if.”

Threat resilience and detection should always be considered as a continuous task. It is often said that security is a moving target and this is all the more evident when one considers that not all threats may have been discovered during the first assessment. Indeed, some of these threats may not even be known to exist – the so called “zero-day” vulnerabilities. It is therefore very important that an appropriate, consistent and regular review of a plant’s “cyber resistance” status is made to ensure cyber health is maintained. An asset owner has to look for all vulnerabilities, where the criminal only needs to find one.

Ongoing investment in cyber security is crucial to keep up with technological development, as cybercriminals rapidly develop new forms of attack. Tackling the problems of cyber security risks can only be realized by comprehensive planning, periodic evaluation, updates and monitoring. This must be done continuously, from design through to obsolescence.

– This originally appeared on Control Engineering Europe’s website. Edited by Chris Vavra, web content manager, Control Engineering, CFE Media and Technology, cvavra@cfemedia.com.

Do you have experience and expertise with the topics mentioned in this content? You should consider contributing to our CFE Media editorial team and getting the recognition you and your company deserve. Click here to start this process.