The European Commission is drafting new security regulations for Internet of Things devices to boost consumer confidence in technology that is proving incredibly difficult to keep secure.
The new rules would introduce a European certification and labelling system to counter cybersecurity risks and ensure confidence in IoT devices as Europe moves forward with plans to boost internet speeds over the coming decade.
As Euractiv reports, the certification program for IoT devices would be similar to Europe’s existing energy efficiency rating system for whitegoods and electronics. The aim would be encourage privacy by forcing companies to meet security standards and undergo a rigorous certification process.
The proposal was highlighted at a conference in Brussels by EU digital policy chief Günther Oettinger’s deputy head of cabinet, Thibault Kleiner.
The plan comes amid heightened concerns over IoT security following the massive distributed denial of service attack on security writer Brian Krebs’ website. The attack, which peaked at 620 Gbps, relied on a network of 380,000 compromised IoT devices, such as DVRs deployed with default credentials. The attack caused some head-scratching since it was too large even for giant content distribution network, Akamai, to financially absorb. Google’s Project Shield, which aims to protect free expression from DDoS attacks, stepped in to rescue the site.
Details of the certification system were floated with an IoT alliance created last year that consists of Bosch, Philips, Cisco, Nokia, Siemens, Samsung, and several major European carriers. The alliance’s broad goal is to prevent privacy and security related trust issues slowing the adoption of IoT technologies in the same way these issues hampered cloud adoption by European businesses.
The proposed “Trusted IoT Label” the European Commission is looking at would give consumers “transparent information about different levels of privacy and security” as well as details about compliance with Europe’s security directive.
Europe’s peak network security advisors at ENISA have given thought to the challenges of such a label, recently noting that there is no existing EU-wide framework for certifying the security of IT products, which would need to span chipsets, operating systems, connected devices, interfaces, and links to the cloud.
There aren’t, for example, any measures to detect if a vendor is cheating a certification by delivering a different product to the one that was evaluated. On the other hand, Europe does have well-established certification processes under the CE marking program and energy rating system.