Endpoint Security
,
Internet of Things Security
,
Standards, Regulations & Compliance
How to Truly Secure Internet of Things Devices? ETSI’s Alex Leadbeater Weighs In
Building a secure Internet of Things continues to face hurdles, despite solutions being well-known and achievable.
See Also: Enterprise Browser Transforms App Delivery and Compliance
So said Alex Leadbeater, chair of European Telecommunications Standards Institute’s Technical Committee Cyber. ETSI maintains European Standard 303 645, a global standard published in 2020 that establishes a cybersecurity baseline for consumer IoT devices.
Among the specifications: avoid default passwords, provide secure software updates and maintain a coordinated vulnerability disclosure program for researchers, followed by those bugs getting patched and fixes pushed to customers.
“Frankly, the ability to keep software updated would have pretty much eliminated the majority of IoT vulnerabilities in the market” anytime over the past decade, if it was being done, Leadbeater said.
Progress is being made, with cybersecurity consultancy Copper Horse last year reporting that one-third of global IoT manufacturers now have a vulnerability disclosure policy, up 12% from the prior year. But clearly more work is required, and upcoming regulations – including Europe’s Cyber Resilience Act – should increase the pressure on manufacturers to do more, Leadbeater said.
In this video interview with Information Security Media Group, Leadbeater also discussed:
- Strategies to boost IoT security, including the role of smart regulations, robust enforcement and ongoing education for both consumers and manufacturers;
- How to advance adoption of secure-by-design frameworks, libraries and software, in part by using a software bill of materials, or SBOM;
- The risk posed by the impending quantum computing “Q-day” to IoT device security.
Leadbeater is chair of ESTI’s TC Cyber, where he has played a key role in driving major cybersecurity standardization efforts as well as provided technical expertise and support for law enforcement obligations. He’s also technical security director for the GSM Association, or GSMA, which is the advocacy and lobbying organization for the mobile communications industry, representing more than 750 mobile operators.
