The good news is that we have a new standard for assessing cybersecurity requirements at our fingertips. But unfortunately, even this standard will not provide a presumption of conformity.
But first things first:
Currently, the most important standard for assessing the cybersecurity of IoT end-user devices ("Internet-of-Things") is ETSI EN 303 645 V2.1.1 (2020-06) (Basic Requirements). This standard was originally developed by ETSI and is now managed by ETSI, CEN and CENELEC under a joint agreement.
On March 22, 2022, a "vertical" and thus product-specific standard appeared – ETSI TS 103 848 V1.1.1 (2022-03) – which addresses the above-mentioned basic requirements and tailors them to home gateways.
Home gateways are found in almost all households with Internet access. This is the interface to the outside world to the Internet Service Provider (ISP) – i.e. the provider who provides the Internet access. On the inside, we see the WLAN or LAN interfaces to connect our end devices to the Internet.
The provisions listed in this document are supported by a preceding threat analysis according to ETSI TR 103 743, which addresses attacks from the outside (WAN, ISP) and from the inside (LAN). Deviating possibilities for compromise (e.g. within the supply chain) are not addressed here.
To put the news presented here in context, let's travel back in time a few months.
RED 2014/53/EU - Essential requirements of Article 3, paragraph 3(d), (e) and (f)
On January 12, 2022, additional essential requirements for radio products for activation were announced in the Official Journal of the European Union (L7:2022), to be mandatory from August 1, 2024.
In addition to the already known essential requirements on health and product safety in Article 3 (1) (a), electromagnetic compatibility in Article 3 (1) (b) and radio spectrum in Article 3 (2), three subparagraphs of Article 3 (3) are now activated.
The subparagraphs with the letters d, e and f define - in brief - the harmless use of the network (d), the protection of personal data as well as privacy (e) and the protection against fraud (f). In practice, the latter point can be seen, for example, in the secure transfer of money, monetary assets or virtual currencies.
Harmonized Standards and OJEU Listing
For market access in the European Union, harmonized European standards (hEN) are to be drawn up in preference, which develop their presumption of conformity through their naming in the OJEU. The application of a hEN gives presumption of conformity with an essential requirement of a directive (or regulation).
However, the ETSI standards presented at the beginning do not meet the requirements of a harmonized European standard (hEN) and will therefore not be cited in the OJEU.
We are currently in a preliminary phase of standards development. The challenge is to draft standards that can name objective requirements and prove them by functional tests. Any subjective (non-specific or non-verifiable) requirement in a standard will prevent its gazette citation.
The suitability of standards is evaluated by an appointed expert (HAS consultant). A checklist of six pages serves as the basis for this evaluation, although the described objectivity of requirements accounts for only one item (4.5) on the checklist.
It is by no means guaranteed that the required objective and testable requirements can be found in the near future. Moreover, there is currently no mandate from the EU to commission one of the standards organizations mentioned (ETSI, CEN or CENELEC) to develop such a standard.