Which cybersecurity standards and directives are currently relevant in the EU? An overview.
Modern communication systems are increasingly interconnected. In the smart home, household appliances, lighting or thermostats communicate with each other and can be controlled centrally. In industry, interconnected systems and machines allow the automation of processes. The IoT (Internet of Things) has long since conquered entire branches of industry and the consumer sector. This means that networked applications are increasingly being targeted by hackers. New and adapted standards for IoT and M2M solutions are intended to improve security and thus protect consumers and companies from unpleasant consequences of attacks.
Wireless smart solutions on the rise
Every day, millions of wireless devices connect to the internet and to each other. In the Internet of Things, devices such as surveillance cameras, production plants, building and street lighting communicate directly with each other. They use sensors to determine factors such as temperature, detect movements or errors in the operating process. A distinction must be made between private and industrial applications. In the private sector, networked electronic devices are intended to make everyday life more comfortable, easier and safer. For example, networked building automation recognises when residents approach, opens doors automatically with the help of cameras and sensors, switches on the lighting and regulates the heating system. In the industrial sector, the focus is on M2M (machine to machine) solutions. Machines and systems are connected to each other in such a way that they can carry out automated processes and organise themselves autonomously. This enables the streamlining of processes and ultimately increases safety, as human error can be ruled out at many points.
Cyber attacks pose high security risks
However, networking also entails risks, and to a considerable extent. For example, networked devices connected to the internet are fundamentally at risk of attack from the outside. Hackers are able to manipulate industrial equipment in such a way that dangerous incidents can occur - for example, when manipulated sensors fail to detect a hazardous situation and consequently do not sound the alarm. In May 2021, a cyberattack on the Colonial pipeline in the USA made headlines: Hackers paralysed the gasoline supply through a ransomware attack. In such an attack, data is encrypted in such a way that it can only be accessed again by entering a key. In the case of Colonial, this was only available for a high ransom.
If cybercriminals manage to penetrate private IoT networks, the consequences can also be devastating. For example, smart hardware can be misused for DDOS attacks, in which numerous simultaneous requests overload a website, making it temporarily inaccessible. If stored personal information such as credit card and bank data is read out and used for criminal activities, there is not only a threat of financial damage, but also of legal issues.
Which devices are particularly affected?
From 2019 to 2022, the number of connected hardware devices in the consumer sector alone grew from around 27 billion to 50 billion worldwide, according to experts. Forecasts predict 75 billion IoT devices by 2025. In Germany, more than a third of companies used IoT technology in 2021, with a clear upward trend. The number of attacks is rising just as rapidly. As recently as 2018, 813 million cases of cyber manipulation of private devices were counted; one year later, the figure was already 2.9 billion. Particularly affected by cyber attacks are surveillance camera systems, smart hubs and network storage, printers, smart TVs and IP phones. Around 46 percent of German companies experienced at least one cyberattack in 2021.
What measures protect against attacks on networked hardware?
The figures of the Unit 42 IoT Threat Report are alarming. According to the report, 98 per cent of the traffic running via IoT solutions in companies is transmitted unencrypted, regardless of the high risk of attack. Things don't look much better for the private sector. According to a study, only one in six smart home users protects their devices from external attacks with encryption systems. Standards and foundations for device security are therefore urgently needed. In this way, security vulnerabilities can already be excluded on the hardware side. This is to be realised through revisions of existing guidelines and new standards.
Adaptation of the RED Directive
From 2024, an extension of the existing RED (Radio Equipment Directive 2014/53/EU) is to come into force throughout the EU. The RED describes basic requirements for the safety and electromagnetic compatibility of radio equipment and thus also for all devices connected via WLAN, Bluetooth or other radio technology. With the extension, new legal requirements apply to the cyber security of wireless devices, which must be taken into account during development and production. In addition, the focus is on the protection of privacy and personal data, the reduction of the possibilities of monetary fraud as well as a higher resilience of communication networks. The most important changes at a glance:
- Wireless devices must include features that prevent interference with communications networks and ensure that they cannot be used to disrupt the functionality of websites or other services.
- The protection of personal data must be guaranteed. For example, measures that prevent unauthorised access to personal data are mandatory.
- Finally, functions that minimise the risk of fraud in electronic payments, such as better controlled user authentication, are to be integrated.
CTIA creates industry-wide foundation for device security in wireless networks
New regulations for improved cyber security are also being developed by the CTIA (Cellular Telecommunications and Internet Association). The US trade association for wireless communications is providing the CTIA Cybersecurity Certification Test Plan for IoT Devices . The certification programme for the cybersecurity of IoT devices is intended to protect consumers and wireless infrastructures and thus create a basis for smart cities, connected cars and other IoT solutions.
European standard EN 303 645 as a basis for the safety of networked devices
More security in the smart home is the goal of the ETSI EN 303 645 standard published on 30 June 2020. With it, the European standardisation organisation ETSI has provided a standard for the development of consumer IoT hardware, especially in the smart home. Based on the TS 103 645 standard and the DIN SPEC 27072 security standard, the main areas to be covered are authentication, software update mechanisms, secure communication and data protection. The test specification ETSI TS 103 701 in turn serves the comparability of test results. Both documents form the basis for issuing security certificates such as the current IT security mark in Germany.
Improve cyber security with testxchange
New cyber security standards improve the security of networked devices. This prevents attacks from outside and the associated unpleasant consequences. testxchange supports you with the current certifications. We help you find service providers for your product tests. Feel free to send us your request without obligation.