European semiconductor makers have agreed on a proposal to standardize Internet of Things (IoT) cybersecurity.
Infineon, Qualcomm-owned NXP, STMicroelectronics, and the EU Agency for Network and Information Security (ENISA) have released a joint proposal to introduce baseline cybersecurity for connected things.
The semiconductor makers agreed that a European scheme for IoT security certification and labelling should be evaluated by the European Commission (EC).
The EC should also encourage the development of “mandatory staged requirements” for IoT security and privacy through new European legislation, the organizations said in a position paper aimed at policy makers as Europe prepares to introduce new IoT cybersecurity laws.
The paper outlines support for the proposed “Trusted IoT” cybersecurity labelling system, akin to Europe’s CE labeling for products sold in the EU. It also supports the introduction of minimum security requirements and standardized security processes and services.
They also want an incentive system to reward IoT device makers that improve cybersecurity and a framework to correct the “market failure” in IoT cybersecurity and privacy reflected by the unwillingness of suppliers and buyers to pay extra for security.
“This weakness creates a severe risk that the European economy is falling behind in its ability to tap into the promising emerging IoT markets,” the chip makers warn.
A recent study by the EC estimated Europe’s IoT market could be worth $1 trillion by 2020, however the EC has acknowledged that difficulties in patching them could undermine this potential.
The commission announced plans in October for new laws that would require companies meet stringent security standards and pass certification tests to guarantee privacy. Officials suggested companies devise a labeling system to convey a product’s level of security and privacy, similar to Europe’s energy efficiency star-rated system. The cybersecurity push is being tied with efforts in Europe to boost mobile and fixed line broadband speeds.
European chipmakers note that there currently is no base level of security, and no legal guidelines for governing IoT device security. Smaller device makers in particular know little about basic security, they said.
“There is a lack of awareness when it comes to security and privacy in IoT. Industry, especially SME, needs to be provided with information about existing security features such as encryption, appropriate key storage, strong authentication, privacy and identity management systems,” the companies said.
The EU’s IoT security agenda is taking shape amid growing concern about connected device security following the Mirai botnet attack on internet infrastructure firm, Dyn, last year, which blocked access to Twitter, Amazon, and dozens of other popular sites.
Germany’s telecommunications regulator earlier this year banned the US-made smart doll Cayla after researchers discovered the toy lacked Bluetooth authentication. The ban was imposed after the regulator deemed the toy a concealed surveillance device under German law due to its camera and microphone being capable of transmitting data without notifying users.
The chipmakers’ proposed baseline includes “mandatory reference levels” for security features, such as authentication and authorization. It wants simple rules for things like thermostats and more sophisticated rules for more complex devices like smartphones.
The proposal suggests Europe create a lightweight version of the existing Common Criteria certification, which is aimed at IT security products. The IoT certification would target connected devices, commercial software, and products with a short life cycle. This would be used in conjunction with the proposed European trust label for connected devices.
To create a level playing field on the table is the idea of mandatory cybersecurity insurance for connected devices as part of the plan to create incentives to improve security.