The EU Network and Information Security Agency (ENISA), an advisory body for the European Union (EU), has been working with several European semiconductor vendors to come up with baseline requirements for security and privacy in IoT devices.
ENISA, which supports the EU and its member states in being able to prepare and improve on network and information security, has joined forces with Infineon Technologies, NXP Semiconductors and STMicroelectronics to come up with a common position on cybersecurity in a new paper.
The paper focuses on four main areas that are currently debated at the EU level: standardisation and certification; security processes and services; security requirements and implementation; and the economic dimensions.
In the paper, ENISA calls on the European Commission (EC) to define a policy framework for ensuring minimal security requirements for connected devices. It believes that the development of European security standards needs to become more efficient and adapt to the new circumstances that have come about because of IoT. Based on those requirements, it suggests a European scheme for certification and the development of an associated ‘trust label’.
Mandatory staged requirements
The paper also urges the commission to ensure that reliable security processes and services are being developed to support industry in implementing security features in their products, and to encourage the development of mandatory staged requirements for security and privacy in IoT – including some minimal requirements.
In addition, ENISA wants the EC to create a level playing field for cybersecurity and for it to look into incentives, similar to the Digital Security Bonus, in order to reward good security practices.
“Trusted solutions and a common defined level for the security and privacy of connected and smart devices is both recommended and needed, to allow Europe to reap the benefits of soon to become ubiquitous technologies,” ENISA’s executive director Udo Helmbrecht said.
“As such, standardisation and certification have been identified as a priority, to accelerate the level playing field for the entire industry and reflect the trust of citizens, consumers and businesses in the connected environment,” he added.
Yet another standard?
While there could be some concern that this is yet another set of IoT standards from another group organisations, Rob Bamforth, analyst at IT advisory organization Quocirca, believes that it is inevitable that IoT will have a number of standards published over time – some will be geography-specific, while others will be tied to verticals or use cases.
He believes that the ENISA paper is a step in the right direction.
“Security, or rather our trust, is fundamental for IoT, and it requires a minimum baseline at all levels,” he said
“It might seem like extra layers of complexity, but without trust in security, user adoption will quickly evaporate. It’s a bit like making everyone abide by and agree what the three pins of electrical plugs do and having a fuse and other components. Although, even with that example, regional differences may apply, so EU standardisation alone will not be enough,” he said.
Ian Hughes, analyst of IoT at IT advisory company 451 Research agrees, stating that consortia and bodies will start to work together as their streams cross, helping to reduce complexity and reach consensus in the long run, even if it currently appears like a duplication of effort.