Information security requirements for smart devices: are companies ready?

Information security now!

The information security of smart devices raises questions among device manufacturers, retailers and consumers alike. At the end of 2019, Finland introduced the Cybersecurity Label, a voluntary label awarded to secure smart devices. Voluntary and mandatory requirements for smart devices are currently also discussed at EU level.

Cybersecurity Label is issued by the Finnish Transport and Communications Agency

The National Cyber Security Centre at the Finnish Transport and Communications Agency (Traficom) has for some time observed shortcomings in the information security of connected consumer devices. This is partly why Traficom in 2019, as the world's first government authority, launched the Cybersecurity Label, a voluntary labelling scheme signifying the information security of smart devices.  Discussions about information security requirements for smart devices have progressed rapidly also in the EU, which is currently looking into both voluntary and mandatory requirements.

These days, nearly all consumers use at least some smart device. The growing number of devices and their wide range of uses are creating a stronger and stronger need to ensure that products are secure.

“Information security in smart devices for consumers has for a long time been poor, and no widely accepted information security requirements have been set. This is fortunately about to change in Europe, and device manufacturers should prepare for the new requirements,” says Chief Specialist Juhani Eronen from Traficom.

The importance of security in smart devices is recognised globally. For example, shortly after Finland, Singapore introduced a four-level Cybersecurity Labelling Scheme that was presented at the Traficom webinar by Henry Tan, senior assistant director at the Cyber Security Agency of Singapore. In his presentation, Tan emphasised the international challenges faced by companies and the importance of the mutual recognition of certificates.

Just like Traficom’s Cybersecurity Label, the Cybersecurity Labelling Scheme established in Singapore is based on the standard ETSI EN 303 645, which was at the time of its publication in June 2020 the world’s first standard setting requirements for information security in IoT devices in the consumer market. The standard was presented at the webinar by one of its authors, Kirsty Paine from the UK National Cyber Security Centre. Paine described the standard as an innovative, flexible and simple approach that has influenced many certification and accreditation schemes since its publication.

Signify, the manufacturer of the Philips Hue smart lighting solution, has been awarded cybersecurity labels in Singapore and in Finland. Application Security Manager Barbara Oosterfeldt from Signify summarised her view on the current situation: "IoT Security labelling and certification is an important first step to security of IoT devices, but a lot of work needs to be done to have basic security implemented in all IoT devices globally."

Security expert Mikko Hyppönen from F-Secure summarised the webinar discussions as follows: "The IoT revolution is barely beginning. Eventually, almost everything that uses electricity will be online. Whether they are online securely or insecurely is up to us."

The Finnish Transport and Communications Agency Traficom organised an international webinar on information security in smart devices on 26 May 2021 (External link).

Enquiries

Saana Seppänen, Senior Specialist, tel. +358 29 539 0485, saana.seppanen@traficom.fi

Juhani Eronen, Chief Specialist, tel. +358 29 539 0546, juhani.eronen@traficom.fi