Standard challenges for IoT devices

22 May 2022

Industry 4.0 adoption is pushing industry towards a more automated, and sophisticated manufacturing process. As devices, systems and processes become increasingly digitalised and interconnected, the Internet of Things (IoT) opens a wealth of opportunities. However, they also present a cyberattack opportunity for criminals, warns Joe Lomako

The European Union’s Cybersecurity Act – Regulation 2019/881 – is already in place and it has two main objectives. Firstly, strengthening the mandate of the EU Agency for Cybersecurity (ENISA), which contributes to cyber policy; enhances the trustworthiness of products, services, operational co-operation; and promotes knowledge. Secondly, it aims to establish an EU-wide cybersecurity framework.

In Europe, it has recently been announced that Articles 3.3(d)(e) & (f) of the Radio Equipment Directive have been cited in the Official Journal (OJEC), paving the way for further cybersecurity standardisation. While this is currently being reviewed, the most likely approach is that a number of generic standards will be produced, with supplemental product-specific standards which would cover protection of the network, data privacy and protection from fraud. 

However, there are two important documents currently available, which specifically relate to IoT devices. The first is a guidelines document NIST.IR 8259 (US) and the other, ETSI Standard EN 303 645 (EU). 

The EN 303 645 covers consumer products, whereas the scope of NIST.IR 8259 is not confined to consumer products so its general principles can be applied to help demonstrate a baseline of cyber security protection for any IoT product. 

Although further standards are still in development, assessment can be performed using the EN 303 645 standard. An accompanying document, TS 103 701, provides a test methodology to be used. However, the portfolio of standards is likely to increase.

Also, now that the UK has left the EU, it is preparing new legislation derived from the EN 303 645 standard, and this is strengthened by the recent introduction of the Product Security and Telecommunications Infrastructure Bill (PSTI), which is likely to initially be limited to three security requirements:

• A ban on universal default passwords in consumer smart products.
• The implementation of means to manage reports of vulnerabilities.
• Transparency as to how long a product will receive security updates.

There are other existing standards aimed at improving security for network infrastructure and associated devices. For example, it is possible that an industrial IoT device or system could be certified under the IEC 62443 series of standards, as part of a larger installation. This standard series addresses security for industrial automation and control systems (IACS).  

Gaps in coverage
Although there are still many gaps in the cybersecurity standards coverage, the existing ones do at least offer a first line of defence from cyberattack. However, machinery manufacturers should also consider their own cybersecurity programmes as there are other options outside the present standards landscape. This includes more stringent, bespoke testing or ‘penetration testing’ and the necessity to think ‘secure by design’ from the onset and take a proactive approach to cybersecurity by recognising that attacks are ‘when not if’. 

Threat resilience and detection should always be considered as a continuous task. It is often said that security is a moving target and this is all the more evident when one considers that not all threats may have been discovered during the first assessment. Indeed, some of these threats may not even be known to exist – the so called ‘zero-day’ vulnerabilities. It is therefore very important that an appropriate, consistent and regular review of a plant’s ‘cyber resistance’ status is made to ensure cyber health is maintained. An asset owner has to look for all vulnerabilities, where the criminal only needs to find one. 

Ongoing investment in cyber security is crucial to keep up with technological development, as cybercriminals rapidly develop new forms of attack. Tackling the problems of cyber security risks can only be realised by comprehensive planning, periodic evaluation, updates and monitoring. This must be done continuously, from design through to obsolescence. 

Joe Lomako is business development manager (IoT) at TÜV SÜD.

Contact Details and Archive...

Print this page | E-mail this page