Security of connected objects: A more than desirable European label
For the vast majority of consumers, CE marking is now evident for industrial products to comply with European legislation. A similar approach is also emerging at the European level for the security of connected objects.
Tribune by Sylvain Guilley, CTO of Secure-IC and Senior Editor at ISO
IoT: Security at the heart of European concerns
Since the invention of chips and the fight for the protection of personal data in the 1970s, Europe in general and France in particular have been territories where computer security is not just an empty concept. European work in this area is a reference worldwide, including in Asia and the United States.
In the context of an ultra-fast deployment of connected objects, especially among the general public, the ETSI (i.e. European Telecommunications Institute, the European body responsible for standardization of information and communication technologies) published, in early 2019, the TS 103 645 standard establishing an initial benchmark for “cybersecurity in the Internet of Things“, which led to the EN 303 645 standard in 2020. In total, 13 provisions are set out to ensure the security of connected objects, from baby monitors to home automation systems, including TVs, speakers and other connected health trackers.
The provisions are intended to provide consumers with maximum security in their use of IoTs: no default password, automatic vulnerability updates (e.g., vulnerabilities detected by independent labs), secure communications, protection of personal data, ease of deleting said data, etc.
A declarative but binding label
Over time, consumer information has become essential: in addition to the CE standard, the precise composition of products from the food industry, their nutritional score or the consumption of household appliances have emerged as essential sources to guide consumers’ choices in an informed manner.
In the context of the security of connected objects, the work undertaken at the European Union level is moving towards the affixing of a label based on a scale, so as to clearly and simply inform consumers about the security levels offered by each object.
If this label should remain purely declarative on the part of the manufacturers, the level of safety indicated would become, on the other hand, binding: in case of a proven problem as for the safety of the object on one of the provisions of the standard, the manufacturers could then incur penal sanctions.
The consumer as the first ambassador to labialization
The notion of sovereignty, particularly in the industrial and digital fields, is at the heart of today’s debates in a global economy. And for States or supranational institutions such as Europe, it is not always easy to impose these standards on foreign manufacturers, which are perceived as barriers to entry into the markets concerned.
And if the EU Cybersecurity Act of 2019 is a solid legal basis for European autonomy in cybersecurity, it is the almost daily actions of users that will in fact impose the standards that are really applicable in a given geographical area. In this context, aided by clear and accessible information thanks to a logo or a scale of values, consumers will have all the power to impose their point of view on manufacturers.
As soon as the “Secure Connected Object” sign appears, which could happen by 2022-2023, consumers will have all the means to put pressure on the ever-growing number of connected object manufacturers. And ultimately, influence the entire value chain: device security, cloud security and connectivity security, to imagine today a reliable and secure end-to-end digital ecosystem for all consumers, in both the professional and private spheres.
Do you have questions on this topic and on our protection solutions? We are here to help.