DA SV
standards

IoT cybersecurity everything about ETSI EN 303 645

5 minutes read
IoT cybersecurity everything about ETSI EN 303 645

ETSI EN 303 645 explained - basics, scope, requirements, relation to the RED, testing and certification.

Goal and scope of ETSI EN 303 645

ETSI EN 303 645 was developed specifically for manufacturers of IoT devices to support the implementation of security measures in their products. The standard is relevant for all kinds of IoT devices, from smart home products such as thermostats and cameras to larger systems like connected vehicles. Its primary goal is to minimize security risks and prevent cyberattacks that could be enabled by vulnerabilities in IoT devices.

Key requirements of ETSI EN 303 645

The standard contains a variety of requirements that can be grouped into several main categories:

  1. No universal default passwords: IoT devices must not use easily guessable or repeatable default passwords. Each device should be shipped with a unique password.
  2. Implementation of secure communication: All communication channels used by IoT devices must be encrypted to ensure data integrity and confidentiality.
  3. Secure software updates: The ability to update software securely is a core requirement. This includes mechanisms to authenticate updates and prevent attacks via tampered software.
  4. Storage of personal data: The standard requires that personal data be stored and processed securely to guarantee privacy and data security.
  5. Vulnerability reporting systems: Manufacturers must implement a procedure for reporting and addressing security vulnerabilities so that issues can be resolved efficiently and responsibly.
  6. Minimal exposure of services: IoT devices should only expose the services that are strictly necessary to the outside world to reduce the attack surface.

Importance and impact of the standard

The introduction of ETSI EN 303 645 is an important step toward standardizing security requirements for IoT devices. It helps strengthen consumer trust in IoT technologies and encourages the development of safer products. For manufacturers, complying with this standard not only improves product security but can also serve as a market differentiator, since security is becoming an increasingly important selling point.

Testing and certification of ETSI EN 303 645

IoT devices must meet the baseline security requirements of ETSI EN 303 645 to be considered secure. ETSI TS 103 701 provides the means to assess this compliance. The BSI TR-03173 adds specific criteria that improve the quality and accuracy of conformity assessments.

Relationship between ETSI EN 303645, ETSI TS 103701 and BSI TR-03173.

ETSI EN 303 645 - cyber security for consumer internet of things baseline requirements

ETSI EN 303 645 sets the baseline requirements for the cyber security of consumer-oriented IoT devices. It aims to create a security foundation by giving manufacturers guidance on how to design their products securely from the outset (security by design). The standard covers a wide range of devices and includes mandatory security mechanisms as well as additional recommendations that may only be deviated from under specific circumstances.

ETSI TS 103 701 - cyber security for consumer internet of things conformance assessment of baseline requirements

ETSI TS 103 701 complements ETSI EN 303 645 by providing a test specification for conformity assessment. This specification includes test cases for each security requirement and recommendation from EN 303 645 and offers a methodology to evaluate whether an IoT device meets those requirements. TS 103 701 makes it easier for manufacturers and testing bodies to systematically verify the security properties of IoT devices.

BSI TR-03173 - amendments for conformance assessments

The technical guideline BSI TR-03173 supplements ETSI EN 303 645 and ETSI TS 103 701 by specifying detailed refinements for the conduct of conformity assessments. These refinements aim to clarify the more generic aspects of the standard and the test specification, especially in areas such as usability, which are only informatively covered in the original test specification.

Further information on certification of consumer IoT is available from the BSI: https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/Consumer-IoT/Consumer-IoT.html

Relationship between ETSI EN 303 645 and the Radio Equipment Directive (RED)

The Delegated Act to the Radio Equipment Directive (RED) is a binding EU legal act that sets specific security and privacy requirements for radio equipment. In contrast, ETSI EN 303 645 is a technical standard that provides recommendations for the cyber security of IoT devices and is not legally binding.

ETSI EN 303 645 can be used by manufacturers to help meet the requirements of the RED Delegated Act, particularly in the area of cyber security for consumer IoT devices. However, it is specifically aimed at consumer products and may not be suitable for all product types covered by the RED. Manufacturers whose products fall outside this category must consider other standards to fully satisfy RED requirements.

See also the articles Radio Equipment Directive and EN 18031 - The new series of standards for cybersecurity in radio equipment.

Relationship between ETSI EN 303 645 and EN 18031

ETSI EN 303 645 and the EN 18031 standards series complement each other in their approaches to improving the cyber security of connected devices. While ETSI EN 303 645 focuses on consumer IoT devices and defines basic security requirements, the EN 18031 series specifically addresses the cyber security of radio equipment in the context of the Radio Equipment Directive (RED).

The EN 18031 series, consisting of multiple parts, provides detailed technical specifications for various aspects of radio equipment security. It covers topics such as network protection, protection of personal data and fraud prevention. By contrast, ETSI EN 303 645 offers a broader but less specific approach for IoT devices in general.

Manufacturers of IoT devices that are also classified as radio equipment may need to consider both standards. ETSI EN 303 645 can serve as a starting point for basic security measures, while the EN 18031 series adds further, more specific requirements for the radio aspects of a device. Together these standards form a comprehensive framework for the security of connected devices in Europe.