Q&A: Cybersecurity Standard ETSI EN 303 645

As we start to bring more connected devices like refrigerators, thermostats, lightbulbs and washing machines into our homes, cybersecurity becomes a growing concern. For instance, Kaspersky honeypots revealed over 1.5 billion attacks against consumer IoT devices were detected in the first half of 2021 alone. In order to minimize these cybersecurity risks, the ETSI (European Telecommunications Standards Institute) group created a standard in 2021 – the ETSI EN 303 645. 

Discover the latest insights on IoT connectivity technology, use cases, compliance, and more, by signing up for our monthly newsletter.
Forbes estimates an average home in the US contains 20.2 connected devices

So, what is ETSI EN 303 645 and what does it hope to achieve? We answer this question and more that you might have in this article. 

What is ETSI EN 303 645? 

The introduction of the standard cements a global baseline for the security of connected consumer IoT devices. In order to get to Numerous experts from academia, industry and government were engaged to strengthen its predecessor – TS 103 645.  

These consultations resulted in thirteen robust provisions designed to prevent large-scale cyber-attacks, such as the infamous Mirai botnet attack in 2016 which infected hundreds of thousands of routers, DVRs, and other devices. 

  1. No universal default passwords; 
  2. Implement a means of manage reports of vulnerabilities; 
  3. Keep software updated; 
  4. Securely store sensitive security parameters; 
  5. Communicate securely; 
  6. Minimize exposed attack surfaces; 
  7. Ensure software integrity; 
  8. Ensure protection of personal data; 
  9. Make systems resistant to outages; 
  10. Examine system telemetry data; 
  11. Make it easy for consumers to delete personal data; 
  12. Make installation and maintenance of devices easy; 
  13. Validate input data 

Additionally, several provisions are in line with data privacy acts such as the GDPR. For example, manufacturers must provide consumers with clear information about what data is collected, how it is used and how it can be deleted. 

ETSI EN 303 645 applies to all connected consumer products
Does ETSI EN 303 645 apply to all IoT devices? 

The word ‘consumer’ is front and center of this standard. It extends to connected or ‘smart’ that any person can have at home nowadays. For example, home appliances such as smart TVs, speakers, alarms systems, door locks, smoke detectors and baby monitors, among many others. 

The standard also applies to connected gateways, hubs, and base stations. After all, a home now contains as many as sixteen connected devices, each with an entry point into the home network. Thus ETSI EN 303 645 coverage extends to the centralized access point for all the various devices. 

Why the need for this standard 

IoT manufacturers generally refrain from building their own operating systems (OS) as it is both expensive and time-consuming. Global tech companies like Microsoft are more likely to provide OS updates to its millions of users, while a generic Smart TV Manufacturer may not.  

Additionally, the seller of the IoT device is often not the End-to-End builder of either device hardware or software, meaning that the inner workings of an IoT device are often obscured.

For anyone to obtain this information, their options would be to take a crystal box or black box approach.  

Crystal box approach – Manufacturers proactively supplies the source code and design documentation. This in turn allows for regular source code audits to determine how trust boundaries are set and maintained. 

Black box approach – The more common approach where firmware has to be reverse engineered to get a solid understanding of what goes on inside a device. 

What are the implications of ETSI EN 303 545? 

Essentially, all manufacturers have to prove that their consumer IoT device complies with ETSI EN 303 645 by passing an evaluation performed by a third-party testing laboratory.  

Generally, the evaluation process consists of: 

  1. Manufacturers filling out two key documents that provide information for device evaluation 
    • The first document is the Implementation Conformance Statement (ICS). This indicates which of the requirements in ETSI EN 303 645 that the IoT device does or does not meet 
    • The second is the Implementation eXtra Information for Testing (IXIT), which provides design details for testing 
  2. A testing laboratory will next evaluate and test the product based on the two documents
    • A report will be provided to indicate if the product is ETSI EN 303 645-compliant 
ZARIOT and our ecosystem partners are on hand to help you achieve ETSI 303 645 compliance
Concluding thoughts 

While not comprehensive, the ETSI EN 303 645 sets an achievable baseline security standard for IoT stakeholders to attain.  

The standard also boosts consumer confidence in the security of everyday ‘smart’ products. Because consumers are unlikely to fully grasp the technicalities of their devices, a compliance label will help them identify products they can buy with assurance. 

Do you want to know more about ETSI EN 303 645? Contact one of our industry experts today. Together with our ecosystem partner, 7Shift we’ll be able to analyse software components and configuration for vulnerabilities and guide you through to ETSI 303 645 certification.  

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>