TÜV SÜD has released a new white paper explaining to manufacturers the significance of cyber security for devices used in the consumption of Internet of Things (IoT)-based devices as well as the challenges they are currently facing.
The white paper, Internet of Things (IoT) for a connected world. IOT Cyber Security – Threats and Regulations, explores the topic for manufacturers and sees TÜV SÜD informing on applicable standards while illustrating how to ensure successful global market access.
The paper stated that although offering convenience and accessibility, IoT devices are vulnerable to cyber risks.
Although potentially providing significant avenues for energy savings and prosumer capability, such products attract potential data security and privacy risks. And if they are insufficiently protected, manufacturers may be held accountable.
As the demand for IoT devices expands, so too do the associated risks, because potential vulnerabilities or design errors in devices become more significant. “In 2020, 11.7 billion connected IoT devices were in active use worldwide, and this figure is expected to rise to 30 billion by 2025”, stated Florian Wolff von Schutter, head of Cyber Security for CIoT (Consumer IoT) Devices at TÜV SÜD Product Service.
Unfortunately, market growth is matched by rising loss resulting from cyber-crime, which is expected to cost the world more than $10 trillion by 2025”.
EU Radio Equipment Directive imposes stricter requirements
According to the EU Commission, over 80 % of all cyber-attacks target wireless devices. The EU Commission’s delegated act of the Radio Equipment Directive 2014/53/EU has thus imposed stricter cyber security requirements for these devices, including smartphones, tablets, electronic cameras and wearables such as smartwatches and fitness trackers, but also toys and baby monitors.
The regulation was published on 12 January 2022. By the end of the transition period on 1 August 2024, the manufacturers of IoT devices must have established suitable measures to protect privacy, reduce fraud risks and safeguard the stability of the network. Since there have been no harmonised standards in this area so far, manufacturers are advised to take steps to have their products assessed by an independent third party well in advance of this date.
Mastering the challenges
The requirements for market access of CIoT devices – known as the 3Cs, or connectivity, cyber security and compliance – have increased. Examples of connectivity include seamless communication between CIoT devices and the possibility of upgrades and updates. Cyber security includes protection against malicious attacks caused by malware or based on weak passwords or lack of encryption.
And where compliance is concerned, manufacturers must observe cyber security standards and regulations as well as national laws. The topic of cyber security for CIoT products is addressed by the ETSI EN 303 645 standard in the EU and, to some extent, also in the United Kingdom, while in the USA it is governed by the NISTIR 8259 standard and still other standards apply in India and on other continents such as Australia. To make matters even more complex, different data protection and privacy laws and regulations apply in the USA, Europe and Asia.
The white paper stated how manufacturers who comply with all applicable regulations face better chances of long-term success in the IoT industry and will gain the trust of their customers.
Even manufacturers of CIoT devices that have in-house cyber security experts are well advised to use third-party services.