New IoT ETSI standard – does it go far enough in securing devices?


IoT security has long been dangerously insufficient, both for enterprise networks and for consumers connecting flawed devices to their home internet network. However, progressive steps are gradually being made. Last week’s announcement of ETSI’s new IoT cybersecurity standard promises to establish a security baseline for IoT products. Unfortunately, questions remain as to whether this goes far enough.

Alan Grau, Vice President of IoT and Embedded Solutions at Sectigo, comments:

‘ETSI developed the new IoT cybersecurity standard to address the lack of consistent security capabilities in IoT devices and the resulting wave of cyberattacks targeting these devices. The ETSI standard addresses multiple attack vectors with a broad set of baseline requirements, covering everything from eliminating default passwords to ensuring devices can report attacks and update firmware, also requiring that secure key storage and secure boot capabilities be integrated into devices.  

Achieving compliance with the ETSI standard will not be a simple task for OEMs, as many systems will require new capabilities not previously addressed. Secure device identity is a critical capability used to implement many of the high-level goals identified in the standard. Digital certificate-based device identity is a means to eliminate weak authentication using passwords and meets the requirements for enabling secure communication, secure software updates, and data security. 

While this is an European standard, it impacts all devices sold into Europe. Similar standards and regulations have been initiated in the US, Australia and other countries.’