The baseline of global consumer cyber security standards for IoT: Quality evaluation

The popularity of the Internet of Things (IoT) devices has been gaining interest amongst consumers. The rise of consumers benefiting from IoT devices has increased the threat of cyber-attacks. The safety, security, and privacy of consumers can be negatively affected if vulnerabilities of IoT devices are exploited. Therefore, there is a need of understanding what within IoT devices is necessary to secure. Further, the implementation of necessary and important requirements is needed to ensure protection against cyber-attacks on IoT devices. The recently published Cyber Security for Consumer Internet of Things (CSCIoT) standard, called ETSI EN 303 645, is a global standard that describes requirements on implementing a minimum level of security for IoT devices. This paper evaluates the sufficiency of cyber security of the consumer IoT standards’ requirements and gradation. The evaluation is done by comparing CSCIoT to the international professional IoT standard, called IEC 62443, and with the other related work, such as the Secure by Design report of the UK Department for Digital, Culture Media & Sport. Also, this paper discusses implications regarding consumer responsibility on security. This paper aims to stimulate more precision and extension of requirements for consumer IoT devices to lower the risk of cyber-attacks