The EU Agency for Network and Information security – ENISA – together with industry recently reached a common position on cybersecurity, that reflects the concerns of industry and provides a set of suggestions for policy makers.
Their paper focuses on four main areas actively debated at the EU level: standardisation and certification, security processes and services, security requirements and implementation, and the economic dimensions.
Key challenges and recommendations identified for the European Commission
- Define a policy framework for ensuring minimal security requirements for connected devices. The development of European security standards needs to become more efficient and/or adapted to new circumstances related to Internet of Things (IoT). Based on those requirements, a European scheme for certification and the development of an associated trust label should be evaluated.
- Ensure that reliable security processes and services are being developed to support industry in implementing security features in their products (e.g. through providing information and training about state-of-the art security solutions).
- Encourage the development of mandatory staged requirements for security and privacy in the IoT, including some minimal requirements. These common principles should be considered in future revisions and new legislative initiatives.
- Create a level playing field for cybersecurity and look into incentives similar to the Digital Security Bonus in order to reward the use of good security practices.
“Trusted solutions and a common defined level for the security and privacy of connected and smart devices is both recommended and needed, to allow Europe to reap the benefits of soon to become ubiquitous technologies. As such, standardisation and certification have been identified as a priority, to accelerate the level playing field for the entire industry and reflect the trust of citizens, consumers and businesses in the connected environment,” said ENISA’s Executive Director Udo Helmbrecht.
“Pervasive connectivity over the Internet of Things means that security is becoming an important issue for just about all citizens – whether they be using a computing device, TV or washing machine. The European policy framework is set to define easy-to-use measures that will give industry the guidance it requires and consumers the transparency they need,” said Dr. Stefan Hofschen, Division President Chip Card & Security at Infineon Technologies. “On the product side, security solutions based on certified, hardware security trust anchors are already available today to serve the increasing security requirements.”
“The growth in IoT and connected devices creates a tremendous amount of opportunity for businesses and consumers. How the industry comes together, agrees on common principles to address complex concerns like security, can break down the barriers of adoption and is key to fostering this market,” said Rüdiger Stroh, Executive Vice President & General Manager of Security and Connectivity at NXP Semiconductors. “Security and privacy by design, a proven approach that grew business streams for mobile phones, cars and wearable manufacturers, help build trust between businesses and consumers. Our vision is to help grow the IoT market and bring this quality of security to other IoT applications.”
“This initiative will increase the much-needed awareness for security in IoT devices and organize a collective effort to establish important standards to help deliver it, which will ultimately bring big benefits to consumers and businesses,” said Marie-France Florentin Group Vice President & General Manager of Secure Microcontroller Division at STMicroelectronics. “With its long history and valuable expertise in embedded security, ST is in a strong position to make vital contributions to this key framework.”
The common position was developed by Infineon, NXP, and STMicroelectronics, supported by ENISA. The Agency aims at working further with industry and seeks the support of more actors in the semi-conductor and chip-product manufacturer field, application and service providers.