Industrial Internet of Things Security Certification in Europe

In the early days of the Internet of Things (IoT) and Industrial Internet of Things (IIoT), the potential of the new technology often overshadowed the security risks. After several incidents involving unsecured IoT devices such as IP cameras and routers, businesses are focusing more on vulnerabilities and how to deal with them. As in many areas that would benefit from greater IT and information security, IoT and IIoT also suffer from a lack of regulation. Although everyone knows that these devices need to be secured, there is no universal approach for doing so, let alone a legal obligation.

Although the draft EU Cybersecurity Act is reputed to address security and certification for the Internet of Things, the proposal is considered by experts to be a toothless tiger that does not adequately address the current issues and future challenges in terms of consumer protection and security on the Internet of Things. For example, the proposed legislation requires security certification of networked products, but this will only be mandatory for products in critical infrastructures. All other products can be certified voluntarily based on the security certification categories low, medium or high. Manufacturers may certify their own product if the product falls under the low category. Similar initiatives that relied on voluntary certification have not had the desired effect.

Currently there is an initiative on tackling the topic at a broader level concentrated around the Hannover Messe Industrie trade event. The TÜV Association has proposed a new security architecture for the Internet of Things and networked industrial products. In view of the continuing threats posed by cyber attacks, Joachim Bühler, Managing Director, TÜV calls upon politicians in Berlin and Brussels to act: "Functionally safe machines, systems or devices can become highly unsafe products with networking." There are still many questions regarding this technology in Germany and within the European Union that have not yet been answered. But they are urgently needed. In 2017, the number of globally networked objects is estimated to reach approximately 27 billion. By 2030, this is expected to rise to 125 billion . According to a report by the German Federal Office for Information Security (BSI), there are more than 800 million malicious programs worldwide, to which 390,000 more variants are added every day. 

Although the European legislator is obliged to ensure a high level of consumer protection for IoT/IIoT products, the current regulatory framework for product safety is incomplete in terms of information security. The TÜV Association believes that the concept of product safety in the European regulatory framework (Product Safety Directive, 2001/95/EC) only covers the aspect of the potential effects of the product (product safety or safety). As far as protection from unauthorized third parties (information security or security) is concerned, there are numerous gaps. Without considering both of these aspects it is practically impossible to carry out a comprehensive risk analysis and ensure that products are both safe and secure.

Not surprisingly, Joachim Bühler suggests strengthening the role of manufacturer-independent certification organizations. And he raises some interesting points: TÜV is not obligated to any manufacturer, it is a well known organization and it is also a seal of quality assurance in countries outside Germany. It also already has the relevant technical expertise or could develop this expertise within the organization. A TÜV seal for IoT security certainly sounds good, but TÜV will first have to define a generally accepted guideline for IoT security. And how such a guideline can be applied to the hundreds of different IoT device classes is also open.

Generally, the TÜV have taken a step in the right direction. It is great importance that an organization with the relevant expertise takes on this issue before hundreds of billions of IoT devices with unknown and potentially insecure configurations are in the wild. However, initiatives such as the IoT Security Forum (IoTSF) may offer a better alternative. Several guidelines for secure IoT devices are already in progress or have been adopted by the IoTSF. From the development cycle to testing and lifecycle management, they cover almost all relevant aspects for integrated IoT information security. The only thing missing is a Europe-wide body that can convert this material into legislation.