ETSI 發布全球首個物聯網產品網路安全/隱私保護標準



2020年10月22日 | 產品安全

如今,隨著越來越多消費物聯網產品接入互聯網或家庭網路,家庭中智能設備的普及率不斷上升,其中許多設備可能存在安全漏洞,網路安全已經日益成為一個令人擔憂的問題。為此,歐洲電信標準化協會(ETSI)網路安全技術委員會於2020年6月發布了物聯網(IoT)產品的網路安全/隱私保護標準ETSI EN 303 645,為物聯網消費物聯網(IoT)產品建立安全基準,有助於防止針對智能設備的大規模普遍攻擊。同時,ETSI EN 303 645也有望成為歐盟物聯網(IoT)產品認證的評估標準。

對於這份新標準的方方面面,我們邀請到TÜV萊茵的信息安全專家為您解讀。

 

ETSI EN 303 645是什麼?

物聯網(IoT)產品網路安全/隱私保護標準ETSI EN 303 645由歐洲電信標準化協會與行業、學術界和政府合作開發,旨在提供一種有效、基本的評估方法,以限制網路犯罪分子控制全球設備發起DDoS攻擊、挖掘加密貨幣並偷窺用戶家中的能力,減少個人數據洩露的可能。

ETSI EN 303 645的發布,能夠有效地阻止這些攻擊行為,大幅提升IoT產品的網路安全和隱私保護。

 

ETSI EN 303 645適用於哪些IoT產品?

ETSI EN 303 645標準適用的物聯網(IoT)產品範圍非常廣泛。例如: 聯網兒童玩具和嬰兒監視器、煙霧探測器、門鎖、智能相機、智能電視機和揚聲器、IoT網關、可穿戴智能產品、家用智能電器產品等消費性物聯網產品裝置。

 

ETSI EN 303 645的規定和條款內容都包括哪些?

該標準針對產品網路安全兩個方面,即網路安全規定和數據隱私保護條款。標準重點關注技術控制措施及組織措施,以對抗網路安全缺陷,解決針對網路安全弱點、漏洞等初級網路攻擊,並達到本標準的網路安全基礎等級。

ETSI EN 303 645標準涵蓋以下這些內容:

網路安全規定

• 通用預設密碼的安全

• 漏洞報告的管理和執行

• 軟件更新

• 敏感安全參數的保存

• 通訊安全

• 減少暴露的攻擊面

• 保護個人數據

• 軟件完整性

• 系統的抗中斷能力

• 檢查系統遙測數據

• 方便用戶刪除用戶數據

• 簡化安裝和維護設備

• 驗證輸入數據

 

數據保護條款

• 隱私聲明

• 同意的請求

• 同意的撤回

• 收集遙測數據時,採用最小化原則

• 遙測數據的收集時,應向用戶告知的信息

這是消費物聯網(IoT)產品網路安全領域的首個全球標準,將有助於增強消費者對物聯網產品安全性的信心。對消費物聯網產品來說,符合ETSI EN 303 645標準的要求,既是一項重要的合規活動,也是為取得歐盟網路安全認證做準備。與此同時,除了歐盟地區外,很多國家也紛紛參照該標準,有些甚至在某種程度上也在採用該標準。

 

TÜV萊茵網路安全/隱私保護設計認證

TÜV萊茵將基於產品和技術文件(安全描述和架構、用戶指南等),根據ETSI EN 303 645的條款要求,通過滲透測試進行技術驗證,最終為客戶提供產品符合性報告及證書,以及TÜV萊茵認證標誌。

取得TÜV萊茵的網路安全/隱私保護設計認證,將有助於增強消費者對消費物聯網產品安全性的信心。對於那些不太了解可穿戴物聯網設備及物聯網產品技術細節的消費者來說,該認證可以確保產品符合網路安全和隱私保護標準,也將幫助他們輕鬆決定哪些產品值得購買。

 

ETSI releases the world’s first IoT product cybersecurity/privacy protection standard

Nowadays, as more and more consumer IoT products are connected to the Internet, the penetration rate of smart devices in the home continues to rise, many of which may have security vulnerabilities, and network security has increasingly become a worrying issue. To this end, the European Telecommunications Standards Institute (ETSI) Cyber ​​Security Technical Committee issued the cyber security/privacy protection standard ETSI EN 303 645 for Internet of Things (IoT) products in June 2020. This standard prevents large-scale and widespread attacks on smart devices. At the same time, ETSI EN 303 645 is also expected to become the evaluation standard for EU IoT (IoT) product certification.

 

What is ETSI EN 303 645?

The Internet of Things (IoT) product cyber security/privacy protection standard ETSI EN 303 645 was developed by the European Telecommunications Standards Institute in collaboration with industry, academia and government to provide an effective and basic evaluation method to limit cybercriminals’ global control The device launches DDoS attacks, mines encrypted currency, and spy on users’ homes, reducing the possibility of personal data leakage The release of ETSI EN 303 645 can effectively prevent these attacks and greatly improve the network security and privacy protection of IoT products.

 

What are the provisions and clauses of ETSI EN 303 645?

The product-specific cybersecurity assessments derived from this standard are mainly developed from two aspects, namely, cybersecurity regulations and data privacy protection clauses. The standard focuses on technical control measures and organizational measures to combat network security deficiencies, so as to solve primary network attacks against network security weaknesses and vulnerabilities, and reach the network security baseline level of this standard. Specifically, the ETSI EN 303 645 standard covers the following:

Cybersecurity regulations

– Security of universal default password

– Management and execution of vulnerability reports

– Software update

– Storage of sensitive security parameters

– Communication security

– Reduce the exposed attack surface

– Protection of personal data

– Software integrity

– System’s anti-interruption ability

– Check system telemetry data

– Convenient for users to delete user data

– Simplify installation and maintenance of equipment

– Verify input data

 

Data protection clause

– Privacy statement

– Request for consent

– Withdrawal of consent

– When collecting telemetry data, use the principle of minimization

This is the first global standard in the field of consumer IoT product cybersecurity and will help increase consumers’ confidence on the IoT products. For consumer IoT products, meeting the requirements of the ETSI EN 303 645 standard is not only a compliance issue, but also a preparation for obtaining EU cybersecurity certification. At the same time, in addition to the European Union, many countries have also referred to the standard, and some are even adopting the standard to some extent.

 

TÜV Rheinland IoT Device Cybersecurity/Privacy Certification

Based on product and technical documents (safety description and architecture, user guide, etc.), TÜV Rheinland will conduct technical verification through penetration testing in accordance with the requirements of ETSI EN 303 645, and finally provide customers with product conformity reports and certificates, as well as TÜV Rheinland certification.

TÜV Rheinland’s IoT Device Cybersecurity/Privacy Certification will enhance consumers’ confidence in the consumer IoT products. For consumers who are not familiar with the technical details of wearable devices and IoT products, the certification can ensure that products comply with network security and privacy protection standards, and will also help them easily decide which products are worth buying.

 

進一步訊息, 請聯絡工業服務與資訊安全鍾小姐 irene.chuang@tuv.com