Consumer electronics like smart TVs are crafted with user-friendly interfaces, rich feature sets, and a price point that appeals to the masses. However, what often takes a backseat in their development is robust cybersecurity. The same device that streams your favorite shows at home may also hang in the corporate boardroom, potentially becoming a gateway for malicious actors to infiltrate not just the TV, but through it, the entire corporate network.
This issue arises from the large differences in the threats and security requirements between household and corporate use. At home, the potential loss from a compromised device might be relatively limited – perhaps an invasion of privacy or fraudulent purchases. However, in a corporate environment, the stakes skyrocket. A single vulnerability can lead to data breaches, intellectual property theft, and even a dismantling of the entire IT infrastructure, resulting in not only financial losses but also irreparable damage to the company's reputation.
In this context, it is important to understand that manufacturers prioritize consumer demands, which typically center around functionality, aesthetics, and affordability, often at the expense of advanced security features. Moreover, the regular software updates that such devices receive may not be stringently focused on patching security vulnerabilities, a phenomenon that is far more critical in an enterprise setting than a home environment.
What, then, is the solution? As corporate boardrooms continue to be furnished with consumer-grade electronics, the answer has up till now been for the professional users to take all responsibility of the security, by implementing mitigating actions. This is simply because the authorities have not introduced any requirements for cyber security for such products. However – this is now changing quickly.
The examples of corporations being compromised through consumer IoTs are many and ranging from temperature controllers and routers to air-condition systems. This has now, finally, also reached the attention of authorities and standardisation organisations.
ETSI EN 303 645 carries the name “Cyber security for consumer IoTs” and although it was first published is 2020 it was so eagerly awaited that it was put into use even before publication. This standard is the first international standard to target cyber security of one of the largest, and fastest growing, product groups, maybe in history. It was quickly adopted by test houses and governmental institutions alike also outside Europe. Earlier this year the standard was accepted used in the world’s largest certification scheme for electrical products, the IECEE CB-certification scheme, with more than one hundred thousand certificates annually.
After too long time of inactivity from lawmakers, it is now safe to say that manufacturers of consumer IoT products are currently facing both voluntary and mandatory requirements for their products.
In Europe cybersecurity is now being implemented into the mandatory CE marking, first through the Radio Equipment Directive in 2025 and later through the Cyber Resilience Act, whilst UK are implementing their own requirements April 2024. In addition, there are voluntary consumer labelling schemes like those of Germany and Finland, the latter also being based on ETSI EN 303 645.
In USA there have been state-requirements since 2020, but now the federal organisations are starting to enforce requirements for federal IoT purchases, using this as a strong driver for market compliance. Also, FCC will implement a US consumer labelling scheme, most likely in Q2 2024.
Brazil and Singapore are examples of countries who have focused their requirements especially, but not exclusively, on gateways as these are products highly critical for the security of the network. Singapore has already made such requirements mandatory whilst Brazil are doing the same early 2024.
With all these requirements being imminent one should expect that all manufacturers are in progress of addressing this. However, what we see today is that many are waiting and watching as the time gap slowly is closing!
The reason for this is not necessarily a lack of interest from the manufacturers but may be because of a genuine confusion due to an unclear regulatory landscape. And doing nothing is a common response to confusion – however, that is almost always the worst choice,
As mentioned, the requirements may seem overwhelming as cyber security is a relatively new area of regulatory compliance, and the standards are not yet harmonised. The different standards are however built from mainly the same elements such as authentications, encryption and secure updates, just to mention a few. Complying to one standard will thus cover much of another standard.
Therefore, choosing a common international standard such as the ETSI EN 303 645 is currently the best choice of action. If the main objective is to ensure compliance from an internal point of view, then a gap analysis to the standard is a good choice. A gap analysis will probably generate a, hopefully short, list of non-conformities. With this list a manufacturer can make an informed decision on whether to implement improvements on the existing product, or to take this list into the design of next product.
If the objective is to demonstrate compliance for use in the market and towards purchasers, an international standard is still the best choice. But in this case, a test- and certification body should be used, demonstrating compliance from an independent third-party.
Nemko has over the last years been talking with numerous manufacturers, from small start-ups to some of the largest corporations in the business, and despite the differences in size, most have similar challenges. Based on this we have made a few recommendations to how to address compliance work with cyber security.
Regardless of the choice, remember that not making a choice is also a choice – it’s just not a good one.
Want some help to get started? – book a free online meeting with one from our cybersecurity team.