Your product may be waterproof, but can it handle the depths of the Internet?
When Sean Connery appeared as the first James Bond in the 1962 classic Dr. No, he sported a Rolex Submariner reference 6538. The iconic watch was made to withstand pressures equal to a 200 metre water column; a sensible choice for anyone grappling with car chases, assassins and the odd flamethrower.
Contemporary James Bonds need watches that can deal with all of that – and something that never troubled their cold war predecessors: cyber attacks.
Cyber security: arguably the most pressing safety issue for product developers.
Smart Devices Make Us Vulnerable To Cyber Attacks
Things that used to be offline, like wristwatches, are increasingly connected today. Actually, entire new product categories exist precisely because of the ability to report online; for instance various home security devices. Collectively, they make up the Internet of Things (IoT). The term was coined back in 1999, but it would take many years before it took a real foothold. Now, we’re surrounded by tens of billions of connected wearables and gadgets, and the growth seems unlikely to halt any time soon.
Cyber Assurance: A New Challenge for Product Developers
When you add Internet connectivity to a product, you also add risk. And risk requires management. That’s why when we build roads, we embed safety measures. White lines and dashed lines. Guardrails. Speed limits. Stop signs.
And then of course, the cars themselves have safety systems. Some were likely put in because it made sense to do so, intuitively. Other features, like three-point seatbelts or airbags, were invented in response to accidents.
Similarly, IoT devices are generally equipped with basic safety features, but – let’s be honest – the wolves have mostly dealt with huts made of straws and sticks. And their efforts have been handsomely rewarded. Have we responded?
Sure, ad-hoc countermeasures have been taken on a company level, but the IoT industry as a whole, including governments, has not defined clear guidelines on how to assure cyber threat robustness.
Read more: Guide for Product Developers: 6 Steps From Idea to Market
ETSI EN 303 645: A baseline for IoT security
“Ensuring a better level of security in the IoT ecosystem can only be achieved if governments, industry and consumers collaborate on a common and reachable goal, and standardization bodies like ETSI have provided the right platform to achieve it for this standard.”
Mahmoud Ghaddar, CISO Standardization,
quoted in Infosecurity magazine (2020)
The European standard “Cyber Security for Consumer Internet of Things: Baseline Requirements” (ETSI/EN 303 645) was published in June 2020. It defines 13 provisions that establish a baseline for cyber security “intended to protect against elementary attacks on fundamental design weaknesses (such as the use of easily guessable passwords)”.
Businesses and organisations can and should consider certifying for the standard, even before it comes mandatory. Indeed, some national schemes – like in the UK and Finland – are already referring to this standard.
To date we have awarded the labels to several products including fitness watches, home automation devices and smart hubs. (...) Feedback from companies and hackers has been very positive so far.”
Juhani Eronen from Traficom to ETSI.org
Cyber Security Is Becoming a Hygiene Factor
As a product developer, you are used to testing your products for physical stress. If you’ve read our comprehensive guide on how to get a product to market, you know what we’re talking about.
Similarly, the scope for testing and certifying for product safety now includes cyber security. In the wake of countless cyber security incidents related to IoT devices, developers will be wise to make sure that their products are as safe as can be. Like we’ve touched upon earlier, the direct and indirect costs of an attack to the parent company can be monumental. Oce you lose your stakeholder’s trust, you lose their business too.
“Our labels are awarded to networking smart devices that meet certification criteria based on EN 303 645; this help consumers
identify IoT devices that are sufficiently secure.”
Juhani Eronen from Traficom to ETSI.org
The bottom line is: If you develop IoT products, you should test and certify them for cyber security with the same scrutiny that you do for physical stress.
While you may not count 007 among your customers – you’re in for a skyfall if you don’t properly protect their data.
Geir Hørthe is responsible for the Nemko cyber security initiative. He has worked at Nemko for more than 30 years, in the capacity of test services, lab manager of safety, ATEX and medical departments. He has also been Managing Director at the Nemko office in London for two years. After he returned to Norway, he held...