The world is changing fast, and you probably try to keep up with all the latest trends. However, how often do you take a step back and look at whether your company is protecting itself and its products from external cyber threats? If you are not being mindful of these topics, it could spell the end of your business.
Why is security important?
As a society we all have an obligation to each other to secure the digital infrastructure we all share. We should be mindful that many mission critical services today depend on an well-functioning internet.
Everything from banking to health care and social care services are today delivered into people’s homes using internet connected devices.
This provides bad actors with a large potential for disrupting our services or exposing our private and confidential information.
Some key things to consider for your company
- How could an attack on our IT infrastructure hurt our company?
- What would happen if an attacker disabled all our connected devices?
- What would happen if our customer’s confidential information that we store was leaked?
How common are cyberattacks?
Cyberattacks are frequently occurring, several high-profile incidents have occurred this year and we see that there is a significant rise in the threat level after the geopolitical situation has changed dramatically.
Recently in Sweden a major attack disrupted services for care providers, and we have seen examples from Europe where attacks on hospitals have tragically led to fatalities.
EU has long been a defender of people’s right to privacy through the GDPR regulation and now we see that the bar will be raised further to protect us all from the threats posed by individual hackers as well as organized crime and state actors who want us harm.
New EU laws are coming into force from August of 2024 that will mean that all wireless IoT devices will be required to pass cyber security standards to be able to be sold on the EU market. This law is called RED (Radio Equipment Directive) and its aim is to ensure that wireless devices are safe to use and do not interfere with other devices. This regulation will apply to all internet connected wireless devices and all wearable devices (regardless of if they are directly internet connected or connects through a gateway).
If your product does not meet the RED standard, it will not be allowed to be sold in the EU and your company could also face a costly recall of the products already placed on the market if a regulatory authority makes an audit and find that your product is non-compliant. We are also seeing an increasing occurrence of companies notifying the authorities of non-compliance of competing products in the market.
A recent example of a product being recalled due to non-compliance with EU regulation is a Norwegian made electric vehicle charger that was put under mandatory recall/corrective action by the Swedish regulatory authority Elsäkerhetsverket for not complying with EU standards. This specific recall was not due to a cyber security issue; however, the same level of seriousness will apply in the future when it comes to security.
If your product were to leak sensitive confidential information about a user, your company could also be subject to hefty fines from violating GDPR regulations with fines in the range of up to 20 MEUR or 4% of global annual turnover.
Basically, not complying with EU regulations could very well be the end of your company.
Cyber security standards
When you choose which standards to use you will carefully need to consider the market that your product is to be sold in.
In Europe, ETSI (European Telecommunications Standards Institute) produces telecommunications standards for the EU market. ETSI cyber security work group has been working on several standards for Privacy, Safety and Security for IoT devices. ETSI standards are what is most referred to by EU regulations.
In the US, the National Institute of Standards and Technology (NIST) is the leading standardization body and has been working on the Cybersecurity Framework to manage cyber security risks.
What does this mean for your products?
If you have a wireless device that is being sold on the EU market today or are developing a new product you will need to get ready! From August of 2024 you will need to prove compliance with the new RED standard. This applies regardless of if you already have made a RED certification for your existing product.
What do the standards require?
To give you an example of requirements I would recommend browsing the EN 303 645 standard and the ETSI TR 103 621 technical report. Those standards are targeted for Cyber Security for Consumer internet of Things devices.
Some examples of requirements in the standards:
- No universal passwords in the device (this means default username and password like “admin/password” is no longer acceptable).
- Your company should monitor for security vulnerabilities and provide device updates in a timely manner. This means that you need processes in place to monitor for vulnerabilities like the CVE (Common Vulnerabilities and Exposures) database.
- Sensitive information in the device (like passwords or personal information) shall be stored securely and tamper-proof, preferably in a special trusted area of the processor called trusted execution environment.
- The IoT device shall have a secure means of updating its software that is protected from man-in-the middle attacks.
- The support period of the device (the time under which security patches are delivered) shall be documented and informed to the user.
- Encryption used by the device shall use best practices to ensure secure communication. This means you will need to make sure that the encryption is robust enough to withstand modern cracking tools.
- All interfaces that are not actively used by the devices should be turned off by default to minimize the attack surface.
What else do I need to consider?
If you are relying on third-party modules or software, contact your supplier today! Ask about their strategy to be compliant with the new regulations. You also need to get a cooperation agreement in place for future security updates.
This is especially important for communication modules (2G/3G/4G/5G, Wi-Fi, Bluetooth, Zigbee etc.). An auditor from a test house will require compliance documentation on the firmware inside the module and the agreement with your supplier on how to support firmware updates during the warranty of your product.
If you do not know what dependencies you have, ask your RnD department to make an inventory.
Contact an accredited test house to get the process started today, there will be long queues for companies that want to update their RED certification and you do not want to be at the back of the line.
How can Svep Design Center help?
At Svep we have extensive knowledge about software and IoT. We have been designing secure IoT devices for over 20 years and have the processes in place to assist you in getting your products ready for certification. We can provide evaluation, documentation, and remediation of software vulnerabilities as well as monitor your product during its life cycle for emerging threats.
Svep also provides IoT solutions to monitor and safely remote update your devices in the field.
We have daily contacts with most of the major test houses in the world and can provide the documentation that the auditor needs and make code changes or re-designs if necessary. Svep also has an extensive network of contacts with wireless module vendors, and we are in constant dialogue with them about the evolving legislation.