ENISA is pushing forward with a proposed scheme that would mandate a basic level of security for all Internet-connected devices
ENISA, the EU Agency for Network and Information Security, has produced a position paper in support of a security labelling scheme for connected devices that would be similar to the CE marking system.
The paper, developed by semiconductor makers ST, NXP and Infineon with ENISA’s support, is the next step toward mandating better security for connected devices such as web cameras and television set-top boxes, whose poor protections have led to their increasingly frequent use by hackers in disruptive cyber-attacks.
IoT trust label
“The development of European security standards needs to become more efficient and/or adapted to new circumstances related to Internet of Things (IoT),” ENISA stated on Monday.
“Based on those requirements, a European scheme for certification and the development of an associated trust label should be evaluated.”
The policy paper outlines an approach to standardisation and certification, security processes and services, security requirements and their implementation, and the economic dimensions of such a scheme.
It proposes minimum standards for all connected devices, from the simplest gadgets up to complex systems such as connected cars and factories, which would be made mandatory in order to guarantee the same requirements for all industry players,
Higher-level sector- or application-specific security levels could then be developed building on the baseline requirements, the paper suggested.
“Currently there is no basic level, no level zero defined for the security and privacy of connected and smart devices,” the paper reads. “There are also no legal guidelines for trust of IoT devices and services and no precautionary requirements in place.”
The US’ Federal Trade Comission and Ofcom have both suggested industry improve the security of connected devices, but the FTC has taken a position against regulation, a stance reiterated at a meeting of computer security professionals at Nasdaq on Monday, while Ofcom has only said it would “work with relevant organizations… to identify and explore solutions”.
ENISA is currently campaigning for a broader role for the agency ahead of an organisational review by the European Commission scheduled for September and the renewal of its mandate in 2020.
During the recent WannaCry ransomware outbreak ENISA organised a cross-EU task force, reporting regularly to the Commission and liaising with the EU CSIRT Network, an initiative it described as “the first ever case of cyber cooperation at EU level”.
In a February document outlining its case for a broader mandate, ENISA cited the Mirai botnet – which made use of thousands of hacked connected devices – as an example of the increasing volatility of the online world and the kind of threat requiring a stronger response.
“Crime, espionage, sabotage and even international conflicts move from the so-called real world into the virtual cyber world,” wrote ENISA executive director Udo Helmbrecht in the paper’s foreword.
“Today, more than ever, there is a place for a European body such as ENISA to be positioned with a cyber-security mandate that is resourced to address the cyber challenges of today and tomorrow,” he said in a separate statement.
Do you know all about security in 2017? Try our quiz!