Edition: International | Greek
MENU

Home » Analyses

Internet of Things is missing horizontal cybersecurity standards

A report released by trade association DigitalEurope on Wednesday (8 September) underlined the lack of baseline cybersecurity requirements

By: EBR - Posted: Wednesday, September 8, 2021

"Vulnerability to cyberattacks is growing, as the number of devices connected through the Internet of Things (IoT) in people’s homes and everyday lives rapidly increases."
"Vulnerability to cyberattacks is growing, as the number of devices connected through the Internet of Things (IoT) in people’s homes and everyday lives rapidly increases."

by Molly Killeen*

A report released by trade association DigitalEurope on Wednesday (8 September) underlined the lack of baseline cybersecurity requirements, saying the existing rules were insufficient and calling for horizontal regulation as the EU is working on updating its cybersecurity legislation.

Vulnerability to cyberattacks is growing, as the number of devices connected through the Internet of Things (IoT) in people’s homes and everyday lives rapidly increases.

A recent test by ethical hackers at Euroconsumers found that an alarmingly high number of commonplace smart home devices such as WiFi routers, baby monitors and alarm systems suffer from serious weaknesses, leaving them susceptible to what could be very sensitive breaches.

According to DigitalEurope’s report, however, existing product legislation falls short when it comes to addressing cybersecurity.

“Because its scope and conformity assessment methods are generally designed to address physical product functions, existing product legislation cannot properly address administrative or organisational aspects, which are more prominent and common to more types of devices,” it said

In December last year, as part of its new EU Cybersecurity Strategy, the European Commission launched a proposal to revise the cybersecurity standards set in the Network and Information Security (NIS) Directive, the first EU-wide legislation on the topic.

The new legislation, so-called NIS2, is intended to strengthen and expand upon its predecessor in regulatory scope and volume, responding to a general rise of cyber threats but also to growing vulnerability caused by the pandemic-induced increase in dependence on network and information services.

The current state of cyber resilience is a “vicious circle” of dealing with consequences and mitigating threats that risks “undermining trust in the digital ecosystem and preventing us from taking full advantage of technology”, Klara Jordan, chief public policy officer at the Atlantic Council’s Cyber Peace Institute, warned at a recent cybersecurity conference.

Harmonised and horizontal measures

The experts surveyed for DigitalEurope’s report overwhelmingly cautioned that cybersecurity should not direct its focus wholly, or primarily, towards product-related features such as passwords, emphasising instead that in order for protections to be sufficient, organisational requirements must be accounted for.

The report notes that current EU product rules are based on physically verifiable factors such as a product’s electrical properties or the materials it is built with, which cannot be adequately applied to something intangible like cybersecurity.

Another issue is the fact that verification currently occurs at the moment a product is placed on the market, without leaving room for continuous monitoring throughout its lifecycle, something which is necessary to stay ahead of evolving cybersecurity threats and vulnerabilities.

Given the high proportion of common product and organisational baseline cybersecurity requirements, those consulted by DigitalEurope agreed that defining these requirements for connected devices is crucial to ensuring their overall security.

Putting in place horizontal regulation in this area, the report said, is a key way to ensure a sufficient link between legislation and standards, and to harmonise requirements between different products and in different areas. Existing product legislation, it cautioned, is insufficient.

Bart Groothuis, the rapporteur for the NIS2 directive, told EURACTIV that the kind of horizontal legislation called for in the report was much needed, but did not fit within the current NIS2 proposal, an issue he said he had raised with the Commission on a number of occasions.

“The EU Cybersecurity Strategy would be incomplete without such horizontal legislation”, he said. “The Commission should launch proposals in the shortest possible time frame.”

If existing product legislation is used to address cybersecurity, DigitalEurope said, it should be limited to basic requirements and repealed once horizontal regulations entered into force.

Hackable Homes

The research by Euroconsumers demonstrates how these risks could impact consumers on a very personal level.

As part of their “Hackable Home” project, two ethical hackers tested 16 widely available smart home devices made by both well- and lesser-known producers and discovered 54 vulnerabilities overall. In 10 of the devices trialled, at least one of the weaknesses detected was classed as “high severity” or “critical”.

“The results are alarming,” Els Bruggeman, Euroconsumers’ Head of Policy and Enforcement said. “Manufacturers must do more. This is crucial to create consumer trust that will allow the whole Internet of Things ecosystem to flourish. If it isn’t safe and secure, it isn’t going to happen.”

The findings echo concerns raised by other groups and experts over the potential risks found in many smart devices currently on the market. In many cases, passwords prove the weak point, especially where devices arrive from the factory with default login details that users often do not go on to change.

A study by UK-based consumer group Which? earlier this year detected 2,435 malicious attempts to log into devices with weak default usernames and passwords in a fake “smart home” over the course of just one week.

*first published in: www.euractiv.com

READ ALSO

EU Actually

‘Biden is Trump without tweets’

N. Peter KramerBy: N. Peter Kramer

The EU is an illusion poorer. ‘They’ were so excited when Joe Biden was elected

View 03/2021 2021 Digital edition

Magazine

Current Issue

03/2021 2021

View past issues
Subscribe
Advertise
Digital edition

Europe

EU countries struggle to agree approach to COP26 climate talks

EU countries struggle to agree approach to COP26 climate talks

European Union countries are struggling to agree their negotiating position for the COP26 climate change conference, with rifts emerging over timeframes for emissions-cutting pledges

Business

Work can be better post-COVID-19. Here’s what employers need to know

Work can be better post-COVID-19. Here’s what employers need to know

When business crises occur (pandemic-related or otherwise), the companies that emerge stronger are those able to flex their business and people to overcome the new challenges they face

MARKET INDICES

Powered by Investing.com
All contents © Copyright EMG Strategic Consulting Ltd. 1997-2021. All Rights Reserved   |   Home Page  |   Disclaimer  |   Website by Theratron