New IoT standard launched
EN 3030 645 is designed to prevent large-scale, prevalent attacks against smart devices
A crucial new standard for cyber security in the Internet of Things (IoT) has been announced.
The ETSI Technical Committee on Cybersecurity has unveiled the ETSI EN 3030 645, based on the on the ETSI specification TS 103 645, and the result of collaboration and expertise from industry, academics and government. The new standard will provide a basis for future IoT certification schemes and is designed to prevent large-scale, prevalent attacks against smart devices.
The IoT describes the network of physical objects—'things’—that are embedded with sensors, software, and other technologies for the purpose of connecting and exchanging data with other devices and systems over the Internet. Over the past few years, as more and more devices in the home and workplace have become connected to the internet, concerns about the cyber security of the IoT have grown. Hackers now have the ability to affect millions of people rather than a few individuals.
IoT objects include everything from connected security systems and thermostats, to cars, electronic appliances, lights, alarm clocks and speaker systems, to name just a few. Compliance with the standard is set to restrict the ability of attackers to control devices across the globe - known as botnets - to launch distributed denial-of-service (DDoS attacks), and spy on users in their own homes.
In 2016, a cyber-attack that brought down much of America’s internet was caused by a weapon known as the Mirai botnet. Mirai scours the web for IoT devices protected by little more than factory-default usernames and passwords and then enlists the devices in attacks that hurl junk traffic at an online target until it can no longer accommodate legitimate visitors or users.
The victim in this case was the servers of Dyn, a company that controlled much of the internet’s domain name system (DNS) infrastructure. The DDoS attack caused a network of computers to be infected with malware, bombarding a server with traffic until it collapsed under the strain.
The server remained under sustained assault for almost an entire day, bringing down sites including Twitter, the Guardian, Netflix, Reddit, CNN and many others in Europe and the US.
ETSI EN 303 645 specifies 13 provisions for the security of Internet-connected consumer devices and their associated services. IoT products in scope include connected children’s toys and baby monitors, connected safety-relevant products such as smoke detectors and door locks, smart cameras, TVs and speakers, wearable health trackers, connected home automation and alarm systems and connected appliances such as washing machines and fridges. The standard also includes five specific data protection provisions for consumer IoT and aims to present an achievable, single target for manufacturers and IoT stakeholders to attain.