The Growing Imperative of Cybersecurity Standards for Connected Devices

In recent years, the European Union has experienced a significant increase in cyber-attacks, threatening the security and stability of the digital space. Since 2022, millions of attacks have targeted various sectors and organizations. Particularly concerning is the rise in cyber-attacks directed at connected devices, now integral to daily life and the economy. While exact statistics on attacks targeting these devices may not be available, it is evident they are a prime target for cyber attackers due to their potential for widespread damage.

The first regulatory step in the EU was the addition of Article 3.3 to the existing Radio Equipment Directive RED 2014/53/EU, which sets standards for radio equipment, including connected devices. Originally focused on technical compatibility and radio spectrum efficiency, the directive increasingly emphasizes security. New requirements under this directive take effect on August 1, 2025, obligating manufacturers of connected equipment to demonstrate cybersecurity compliance.

Expected in 2024, the Cyber Resilience Act (CRA) will further bolster security requirements for connected devices, anticipated to come into force by 2027. This legislation will likely mandate a comprehensive approach to digital security, including regular reviews and testing to ensure resilience against cyber-attacks.

A major challenge across the ecosystem is ensuring compliance and understanding relevant standards. While regulations outline activities and goals, they do not define specific methods or procedures, or standards, which are still in development. However, some key standards have already been established:

• ETSI EN 303 645: Focuses on cybersecurity for consumer sector connected devices, setting requirements for data security, communication link security, and user privacy. Not yet harmonized in the EU, a separate proposed standard, EN 18031, is under consideration.
• ISA/IEC 62443: A series of standards for industrial automation and control security, covering technical and organizational aspects of information system security comprehensively.
• IEC/EN 81001-5-1: Addresses cybersecurity of health software and IT systems, ensuring confidentiality, integrity, and availability of health information through risk management, security controls, and compliance measures.

These standards apply across diverse industries such as consumer electronics, automotive, healthcare technology, and industrial automation.

In addition to standards, critical test methodologies ensure cybersecurity of systems and products. Notably, OWASP (Open Web Application Security Project) identifies common vulnerabilities in digital environments, including IoT, through its OWASP IoT Top 10 list.
Effective testing is crucial to detecting and mitigating these vulnerabilities proactively.

More information:
Jože Novak
E-mail: joze.novak@siq.si
Tel.: +386 1 4778 034