EU agency calls for action on IoT security

The EU Agency for Network and Information Security (ENISA) is calling on the European Commission to define a policy framework ensuring minimal requirements for the security of Internet of Things (IoT) devices along with the development of mandatory staged requirements for security and privacy to give stakeholders a “level playing field” in implementing trust into connected devices and IoT systems.

ENISA logo“Currently, there is no basic level, no level zero defined for the security and privacy of connected and smart devices,” says a position paper identifying the key challenges and recommendations. “There are also no legal guidelines for trust of IoT devices and services and no precautionary requirements in place.

“This is why we recommend effective baseline requirements for security and privacy in the network architecture and value chain as a whole — from simple IoT devices up to complex IoT systems like connected cars and factories. Stakeholders need an equal and level playing field to implement trust into connected devices and services.”

The paper — developed with NXP, STMicroelectronics and Infineon — recommends that the European Commission should:

  • Define a policy framework for ensuring minimal security requirements for connected devices — “A European scheme for certification and the development of an associated trust label should be evaluated”;
  • Ensure that reliable security processes and services are being developed to support the industry in implementing security features in the products, such as providing information and training about state-of-the art security solutions;
  • Encourage the development of mandatory staged requirements for security and privacy in the IoT, including some minimal requirements;
  • Create a level playing field for cybersecurity and look into incentives in order to reward the use of good security practices.

“Trusted solutions and a common defined level for the security and privacy of connected and smart devices is both recommended and needed to allow Europe to reap the benefits of soon to become ubiquitous technologies,” says ENISA’s executive director Udo Helmbrecht.

“As such, standardisation and certification have been identified as a priority to accelerate the level playing field for the entire industry and reflect the trust of citizens, consumers and businesses in the connected environment.”

ENISA is now seeking the support of “more actors in the semiconductor and chip-product manufacturer field, application and service providers” to work further with the industry on establishing the common position.