min reading time
The IoT industry is continuously growing, which is best illustrated by the jaw-dropping growth in the number of global IoT devices and sensors to 50 billion by 2022, based on the calculations of Juniper Research. End-users and businesses are getting more and more prone to use these smart solutions, as they’ve proved to reduce costs and increase efficiency over time.
While users and businesses, in general, are pretty aware of the cybersecurity issues they may face on their computers, portable devices and smartphones, they frequently fail to address the same vulnerability issues on their expansive set of IoT devices. As these smart tools are forming an interconnected web through the internet, their data is exposed to malevolent hackers, just like in the case of any other internet-based device, which makes them probably the best means for large-scale remote cyberattacks.
As the value of personal data and the importance of data protection is a topic that an increasing number of conscious users are considering, it is expected from the chosen enterprise or manufacturer to represent their interest. However, due to the lack of legal international or even national regulations, manufacturers are still not pressured to comply with such notions.
Access to sensitive data, sabotage, and botnets are some of the most common IT security issues that threaten consumers’ and businesses’ day-to-day schedules alike. Unfortunately, in spite of the warnings of security professionals, we can still read numerous horror stories about hacked devices and leaked data in case of, without being exhaustive, security cameras, smart home hubs, medical imaging devices, fitness trackers, or utility consumption-measuring smart devices.
These notorious cases undoubtedly erode the level of customer trust and destroy the trustworthiness of the organization, as users’ private life gets intruded due to the companies’ unwilling carelessness, or lack of knowledge on this field.
Moreover, the way how organizations handle and communicate the consequences and responses, if any at all, can make matters worse. This occurrence is due to the fact that some enterprises lack defined policies or best practices when it comes to the defense of their customers’ data. In other instances they fail to define communication protocols they can turn to in such unforeseen cases. This void of clear communication creates an information vacuum that is most of the time instantly filled with speculation, which can ignite the downward spiral of customer trust in addition to the reputation of the company.
The source of the problem is that these smart devices aren’t primarily built from a security point of view, while there is barely any incentive for manufacturers to make their devices more secure against exploitations. Even though this recurring problem is banging on our doors louder and louder deriving from the rapid enlargement of the IoT industry, many organizations still fail to turn their heads towards security from an exclusively profit-oriented approach...
At least this is how it has been so far until the EU recently acted on this issue and started to regulate manufacturers in the EU Cybersecurity Act (CSA, Regulation (EU) 2019/881), which will undoubtedly change the way manufacturers approach the question of IoT security.
According to the EU Cybersecurity Act, cybersecurity must increase in the field, and a certification framework must be put in place in order for IoT manufacturers to level up their security game and abide by the data protection needs of modern society.
As the official regulation puts it: “The underlying task of ENISA (European Union Agency for Network and Information Security) is to promote the consistent implementation of the relevant legal framework, in particular the effective implementation of Directive (EU) 2016/1148 and other relevant legal instruments containing cybersecurity aspects, which is essential to increasing cyber resilience.”
The Act was issued in 2019, and its aim in the following 5 years is to make every network-connected device comply with the established EU cybersecurity framework. This initiation is a great step towards data security within the Union, and an international opportunity for manufacturers to prove their consumers they do care about their online security, thus increasing their trust.
The global cost of online crime is expected to reach $6.000.000.000.000 by 2021, and it is our uncompromisable mission to change that fact.
Being a common criteria evaluation laboratory and a smart metering evaluation expert company, CCLab plays a leading role in implementing EU working groups.
While it is still unclear what kind of security regulations IoT devices will need to abide by, what kind of certifications manufacturers will need to obtain, and when, a great example to follow for this process could be the initiation of Switzerland certification approach concerning utility consumption-measuring smart devices.
In the Swiss Electricity Supply Ordinance the regulations for Smart Metering Environments were standardized in 2008 March that set forth the liberalization of the electricity market in the country. Based on the impositions of the ordinance, the evaluation process needs to be carried out by independent, certified laboratories, such as CCLab, to ensure the highest level of smart metering security.
CCLab is a market leader in aiding manufacturers comply with Swiss smart metering and EU smart metering directives. We have been actively involved in the processes of the Swissmig community right from the beginning, working closely together with METAS (Federal Institute of Metrology) on fine-tuning the smart metering evaluation methodology (Die Prüfmethodologie zur Durchführung der Datensicherheitsprüfung für Smart Metering Komponenten in der Schweiz) therefore we are able to deliver results professionally, quickly and effectively.
As soon as the regulation framework of the EU Cybersecurity Act gets ordained, CCLab will become an active contributor to the elevation of customer trust in IoT manufacturers’ products, while indirectly playing a part in securing personal data online.
It has now become a tradition that each year JTSEC, an ITSEC consulting company, publishes the annual Common Criteria Statistics Reports, an all-in-one report that collects and analyses all kinds of data on various aspects of the Common Criteria market. We are delighted to share that this year CCLab has made it into to report once again, as we conducted the Common Criteria evaluation project of two products under the Italian Scheme (OCSI).
min reading time