While offering convenience and accessibility, connected products and systems – in other words, devices in the Internet of Things (IoT) – are vulnerable to cyber risks. Consumer products such as smart home gateways, smart television sets and smart home security and lighting systems attract potential data security and privacy risks. If they are insufficiently protected, manufacturers may be held accountable.
As the demand for CIoT devices expands, so too do the associated risks, because potential vulnerabilities or design errors in devices become more significant. “In 2020, 11.7 billion connected IoT devices were in active use worldwide, and this figure is expected to rise to 30 billion by 2025”, says Florian Wolff von Schutter, Head of Cyber Security for CIoT Devices at TÜV SÜD Product Service. “Unfortunately, market growth is matched by rising loss resulting from cyber-crime, which is expected to cost the world more than USD 10 trillion by 2025”.
EU RADIO EQUIPMENT DIRECTIVE IMPOSES STRICTER REQUIREMENTS
According to the EU Commission, over 80 % of all cyber-attacks target wireless devices. The EU Commission’s delegated act of the Radio Equipment Directive 2014/53/EU has thus imposed stricter cyber security requirements for these devices, including smartphones, tablets, electronic cameras and wearables such as smart watches and fitness trackers, but also toys and baby monitors. The regulation was published on 12 January 2022. By the end of the transition period on 1 August 2024, the manufacturers of IoT devices must have established suitable measures to protect privacy, reduce fraud risks and safeguard the stability of the network. Since there have been no harmonised standards in this area so far, manufacturers should take steps to have their products assessed by an independent third party well in advance of this date.
MASTERING THE CHALLENGES
The requirements for market access of CIoT devices – known as the 3Cs, or connectivity, cyber security and compliance – have increased. Examples of connectivity include seamless communication between CIoT devices and the possibility of upgrades and updates. Cyber security includes protection against malicious attacks caused by malware or based on weak passwords or lack of encryption.
And where compliance is concerned, manufacturers must observe cyber-security standards and regulations as well as national laws. The topic of cyber security for CIoT products is addressed by the ETSI EN 303 645 standard in the EU and, to some extent, also in the United Kingdom, while in the USA it is governed by the NISTIR 8259 standard and still other standards apply in India and on other continents such as Australia. To make matters even more complex, different data protection and privacy laws and regulations apply in the USA, Europe and Asia.
INTEGRATING EXTERNAL KNOW-HOW
Manufacturers who comply with all applicable regulations face better chances of long-term success in the IoT industry and will gain the trust of their customers. Even manufacturers of CIoT devices that have in-house cyber security experts are well advised to use third-party services.
TÜV SÜD not only offers support with the implementation of standards and directives; it also performs product-specific risk analyses as well as tests and inspections in the design and development phase. Beyond potential threats to data protection and cyber security, these services also consider functional safety aspects. By adopting certification marks such as „TÜV Cybersecurity Certified“ (TÜV CSC), manufacturers demonstrate that their devices offer a high level of cyber security and thereby secure a critical market edge.
Link to white paper: https://www.tuvsud.com/en/resource-centre/white-papers/internet-of-things-for-a-connected-world
Further information by TÜV SÜD addressing the testing and certification of IoT devices can be found at:
https://www.tuvsud.com/en/industries/consumer-products-and-retail/electrical-and-electronics/cybersecurity-for-iot-devices
https://www.tuvsud.com/en/themes/cybersecurity