EU security agency Enisa has teamed up with industry players to produce a new position paper on IoT security which urges policy makers to establish baseline security standards for connected devices.
The report was produced in partnership with semiconductor firms Infineon Technologies, NXP Semiconductor and STMicroelectronics.
It paints the picture of a market that has failed cybersecurity and privacy, where trusted solutions are so expensive that many IT buyers avoid paying a premium for more secure products.
The lack of trust and weaknesses this situation has created mean the European economy is failing to tap emerging IoT markets, creating a barrier to jobs and growth, the report claimed.
To correct this, the report recommended the following:
“The European Commission should define a policy framework for ensuring minimal security requirements for connected devices. The development of European security standards needs to become more efficient and/or adapted to new circumstances related to IoT. Based on those requirements a European scheme for certification and the development of an associated trust label should be evaluated.”
That’s not all. The report also called for the creation of an industry “level playing field”, with government integrating standards into their procurement policies, and insurance companies creating a “Digital Security Bonus” as a reward for implementing best practice security solutions.
“Trusted solutions and a common defined level for the security and privacy of connected and smart devices is both recommended and needed, to allow Europe to reap the benefits of soon to become ubiquitous technologies,” argued Enisa executive director, Udo Helmbrecht. “As such, standardization and certification have been identified as a priority, to accelerate the level playing field for the entire industry and reflect the trust of citizens, consumers and businesses in the connected environment”.
Mark Noctor, VP EMEA at IoT security firm Arxan Technologies, welcomed the calls for minimum security standards for IoT.
“While there has been some strong initial work in creating standards and guidelines, such as the FDA’s efforts on connected medical devices in the US, there are still no regulatory or legal guidelines that can be enforced and the approach is extremely fragmented,” he added.
“Different applications have their own considerations, but we believe the priority is a universal set of basic guidelines that apply to all devices with connective capabilities, regardless of industry and function. At a minimum, they should be protected from unauthorized access, and be able to detect and defend against attempts to tamper with their code to subvert them for malicious activity.”