The Risk of Consumer Electronics in Corporate Settings

Consumer electronics like smart TVs are crafted with user-friendly interfaces, rich feature sets, and a price point that appeals to the masses. However, what often takes a backseat in their development is robust cybersecurity. The same device that streams your favorite shows at home may also hang in the corporate boardroom, potentially becoming a gateway for malicious actors to infiltrate not just the TV, but through it, the entire corporate network.

Household vs. professional use

This issue arises from the large differences in the threats and security requirements between household and corporate use. At home, the potential loss from a compromised device might be relatively limited – perhaps an invasion of privacy or fraudulent purchases. However, in a corporate environment, the stakes skyrocket. A single vulnerability can lead to data breaches, intellectual property theft, and even a dismantling of the entire IT infrastructure, resulting in not only financial losses but also irreparable damage to the company's reputation.

In this context, it is important to understand that manufacturers prioritize consumer demands, which typically center around functionality, aesthetics, and affordability, often at the expense of advanced security features. Moreover, the regular software updates that such devices receive may not be stringently focused on patching security vulnerabilities, a phenomenon that is far more critical in an enterprise setting than a home environment.

The solution?

What, then, is the solution? As corporate boardrooms continue to be furnished with consumer-grade electronics, the answer has up till now been for the professional users to take all responsibility of the security, by implementing mitigating actions. This is simply because the authorities have not introduced any requirements for cyber security for such products. However – this is now changing quickly.

The examples of corporations being compromised through consumer IoTs are many and ranging from temperature controllers and routers to air-condition systems. This has now, finally, also reached the attention of authorities and standardisation organisations.

The ETSI EN 303 645 standard

ETSI EN 303 645 carries the name “Cyber security for consumer IoTs” and although it was first published is 2020 it was so eagerly awaited that it was put into use even before publication. This standard is the first international standard to target cyber security of one of the largest, and fastest growing, product groups, maybe in history. It was quickly adopted by test houses and governmental institutions alike also outside Europe. Earlier this year the standard was accepted used in the world’s largest certification scheme for electrical products, the IECEE CB-certification scheme, with more than one hundred thousand certificates annually.

Requirements worldwide

After too long time of inactivity from lawmakers, it is now safe to say that manufacturers of consumer IoT products are currently facing both voluntary and mandatory requirements for their products.
In Europe cybersecurity is now being implemented into the mandatory CE marking, first through the Radio Equipment Directive in 2025 and later through the Cyber Resilience Act, whilst UK are implementing their own requirements April 2024. In addition, there are voluntary consumer labelling schemes like those of Germany and Finland, the latter also being based on ETSI EN 303 645.
In USA there have been state-requirements since 2020, but now the federal organisations are starting to enforce requirements for federal IoT purchases, using this as a strong driver for market compliance. Also, FCC will implement a US consumer labelling scheme, most likely in Q2 2024.
Brazil and Singapore are examples of countries who have focused their requirements especially, but not exclusively, on gateways as these are products highly critical for the security of the network. Singapore has already made such requirements mandatory whilst Brazil are doing the same early 2024.

Confusing landscape

With all these requirements being imminent one should expect that all manufacturers are in progress of addressing this. However, what we see today is that many are waiting and watching as the time gap slowly is closing!

The reason for this is not necessarily a lack of interest from the manufacturers but may be because of a genuine confusion due to an unclear regulatory landscape. And doing nothing is a common response to confusion – however, that is almost always the worst choice,

Actions of Manufacturers

As mentioned, the requirements may seem overwhelming as cyber security is a relatively new area of regulatory compliance, and the standards are not yet harmonised. The different standards are however built from mainly the same elements such as authentications, encryption and secure updates, just to mention a few. Complying to one standard will thus cover much of another standard.

Therefore, choosing a common international standard such as the ETSI EN 303 645 is currently the best choice of action. If the main objective is to ensure compliance from an internal point of view, then a gap analysis to the standard is a good choice. A gap analysis will probably generate a, hopefully short, list of non-conformities. With this list a manufacturer can make an informed decision on whether to implement improvements on the existing product, or to take this list into the design of next product.
If the objective is to demonstrate compliance for use in the market and towards purchasers, an international standard is still the best choice. But in this case, a test- and certification body should be used, demonstrating compliance from an independent third-party.

How to start?

Nemko has over the last years been talking with numerous manufacturers, from small start-ups to some of the largest corporations in the business, and despite the differences in size, most have similar challenges. Based on this we have made a few recommendations to how to address compliance work with cyber security.

• Include cyber security into general compliance work from design phase.
  Compliance managers have full control of safety, EMC, radio etc. and know well how to address new standards and the relevant people in the organisation. Cyber security is however the realm of the IT- and software people. These are often unknown to the compliance people and are often also unfamiliar with addressing standards. But, including these people in the compliance work is essential.
• Do separate cyber security risk analysis.
  Safety risks analysis have been a requirement for years and manufacturers have long experience in evaluating the possible outcome of safety problems of a product. A breach of security has however totally different consequences and needs to be evaluated separately.
• Standardize cyber security solutions for multiple products.
  This is probably the most common question we get – can the evaluation made on one product be used for other products with same or similar set ups and solutions? Yes! And not only is it a possibility, it’s a recommendation to standardise solutions as one way of increasing security.
  
  If multiple different devices have the same functionality and cybersecurity, only need to be assed, representing a series of products.
• Use international standards to document security (e.g. ETSI 303 645)
  Unlike what some may think, standards are not primarily made to give test houses a way to evaluate a product after it has been produced. Standards are made for designers to construct their products to meet a generally accepted level of compliance, either to safety or security. Using an internationally recognised standard is the best way to ensure compliance and to demonstrate this to the market and customers.
• Prepare well in advance for coming regulatory requirements, such as CE marking.
  Many products are on the market for several years. It may be updated, but the main part of the product remains the same. Of this reason it is essential to start addressing coming regulations even if they are one or two years into the future. If a product does not comply today, it will not by some magic comply later, and retrofitting requirements into an existing product may not be possible.
• Minimum first step - Do a GAP analysis!
  First reaction to insecurity is to maintain status quo, which is a nice way of saying - to do nothing. This reaction is not limited to anyone in particular and I am sure that we all recognise this reaction ourselves. So, to take the first step – do a gap analysis to find what is status today.
  This can be done in many ways.
  • An all internal process, provided having staff experienced with standards.
  • By a third-party test house, or maybe the best option
  • a combination, by having a third party hosting a workshop covering your product and the desired standard. In Nemko we have good experience from this.

Regardless of the choice, remember that not making a choice is also a choice – it’s just not a good one.

Want some help to get started? – book a free online meeting with one from our cybersecurity team.