The Internet of Things (IoT) industry is expanding at an incredible pace, with more and more devices coming online every day. While this growth is exciting, it also brings new security challenges. Ensuring the security and privacy of IoT devices is crucial for protecting consumers and their data.

On this episode of the Smarter Everything podcast, we're thrilled to welcome Kirsty Paine, Strategic Advisor of Technology and Innovation at Splunk. Kirsty is one of the most passionate advocates for the new globally applicable standard for IoT security, ETSI EN 303 645. During the episode, she chats with our host Bret Jordan about navigating the controversial arena of security standards for connected devices, and the importance of understanding the evolving standards landscape.

To learn more about the standards discussed in the episode, including EN 303 645, TS 103 701, TR 103 631, and the Cybersecurity Labeling Scheme (CLS), be sure to check out the links listed below. We hope you enjoy this informative and engaging conversation about IoT security and its impact on the future of connected devices.

Here are a few key takeaways from the episode:

  • The ETSI EN 303 645 standard, the first globally applicable standard for IoT security, and its importance for consumer devices
  • How the EU Cyber Resiliency Act will impact the state of cybersecurity for products with a digital element
  • The debate between the Singaporean and UK approaches to labeling IoT devices to increase security

Read below for show highlights; listen here for the full episode:

Bret Jordan: Kirsty, it's good to see you. It's been a little bit since we've last spoken. You and I, we've worked together for a long time on various standard initiatives and other things. I know you now work at Splunk, but you used to work as a mathematician and now also work in the NCSC.

Kirsty Payne: I've worked on standards in mostly IoT and internet technologies. But my role in UK NCSC was to horizon scan for things that would impact the UK security in 5 to 10 years' time. I’ve been working in standards because it's a very good place for that forward-looking view. Things being developed in standards bodies today will be deployed maybe in 2 to 3 to 5 years’ time, and more widespread after that. So it's a really great place to look to see what technologies are coming down the road that will impact you, your business, and the technology ecosystem.

Bret Jordan: Where is the industry and the market going? Because it does take a long time to produce some of these standards. I think typically it's in the 3 to 5 years, but sometimes it's in the 5 to 7, or 7 to 10-year timeframe.

Kristy Paine: So maybe one is in the IoT space – actually for ETSI – working on standards that I'll talk about a bit later. And the thing I loved about working on that was the amount of collaboration, the interest that we had from governments, academia, from industry, all piling in comments on this one particular standard.

Bret Jordan: There's a lot of other standards bodies, and sometimes we refer to them as SSOs, or standard setting organizations, or SDOs, standard defining organizations. Which ones have you worked in or which ones do you have familiarity with?

Kirsty Payne: I've worked in ETSI and also the IETF, the Internet Engineering Task Force, which is the standards body that defines protocols that make the internet work. I chair three groups: (1) dispatch, (2) gen dispatch, and (3) the Systers Group. I've worked a lot in that internet technology space as well as in the cryptography space. So for NIST, going through defining post-quantum cryptography standards, I’ve been tracking that, not participating, but tracking it very closely. And when I worked in NCSC, we also had colleagues that were following 3GPP and the 5G development standards there.

Bret Jordan: So Kirsty, what do you think, in this smart and connected space – usually in the home – we're starting to see grid-level or even metro-level type connected devices. What standards are you aware of that influence this or impact this space?

Kirsty Paine:  I think it is the first globally applicable standard for IoT security, a baseline for consumer devices. And the EN 303 645 is such a great standard for that; it covers 13 main areas, everything from minimizing the attack surface to new universal default passwords, keeping your software updated, and having a vulnerability disclosure policy. These are some very simple basic things that many IoT devices today are not doing. 

Bret Jordan: Yeah, I think we can see the impact that we sometimes refer to as the “Apple effect”. For a long time, you had NetWare, Novell NetWare, and then you went to the Windows ecosystem, and then all of a sudden, Apple started to produce iPods and iPhones and then these tablets, iPads, and they started finding their way into the enterprise. Then all of a sudden, you had to start changing your security process and policies to deal with these executives who were bringing in these devices. And I can see the same thing happening in the connected space.

Kirsty Payne: Oh yeah, and it's covering those most common attacks as well. So it's always nice to say, "Oh, theoretically, if I could create a hash that would collide," and that's quite a niche attack really. We're talking about devices that still ship with an “admin/admin” username/password. We're talking about really washing that rubbish out and selling just a basic level of hygiene. And even if you're not super into your tech, if you have home cameras installed, smart doorbells, smart locks, all kinds of consoles and things connected, it quickly adds up. So it has the potential of a huge multiplier effect.

Bret Jordan: We've talked a lot about EN 303 645. So just to recap quickly, what is it, what would our listeners need to understand about it, and why is it important?

Kirsty Payne: It's a security standard for IoT devices, in the consumer space specifically. So why would you care about it? It's a list of 13 key provisions and areas that together set out a very important cybersecurity baseline for consumer IoT devices. So if you're in the IoT space and you haven't seen the standard yet, I really think now's the time. Go and search for it, EN 303 645. It'll pop right up. It's free, it's openly available, and anyone can read it and see if they meet those provisions today.

Bret Jordan: One other topic in this vein is the standardization work, and how standards relate to regulations. And stretching that thread a little bit, how is it going to impact the state of smart and connected things, or maybe even the Cyber Resiliency Act and stuff like that?

Kirsty Paine: Yeah, so for security and for IoT security, things need to be secure; but ultimately, that's a slowdown to the market and a cost for a lot of businesses, plus the market wasn't well incentivized. So in the UK, legislation was introduced that you cannot sell your product if it doesn't meet a certain level of security. So you introduce a driver and a motivating factor that changes the way the market views IoT security. And in the UK, the legislation aimed to look at three provisions in the EN 303 645 specification and mandate that there could be no default passwords, that there is a vulnerability disclosure policy, and that software is updated. So that's a bit of an idea that regulation does draw inspiration from standards. 

You mentioned the EU Cyber Resiliency Act. That's a very hot topic right now, fresh off the press. I think it's mid-September that the Commission EU launched their request for comments and inputs. The Act is really about addressing vulnerabilities and ensuring the security of products with a digital element. That includes IoT, but also covers software.

Bret Jordan: You mentioned working with DCMS in the UK. When you were working on some of these standards, did you work with Ofcom as well? How did you interface there? Obviously, in the secret squirrel clubs, I don't know how much of that you actually worked with the regulators in the UK.

Kirsty Payne: Yeah, so DCMS is a really interesting department in the UK. And for those who don't know, that stands for the Department of Digital, Culture, Media & Sport. It's quite a broad remit, and I used to say they're the department of the citizen, looking at things the average citizen cares about. They care about TV, film, sports, and their digital products. So that's why a lot of this stuff ended up with DCMS. And Ofcom is the regulator, which is part of DCMS. They also have the Information Commissioner's Office, which is the regulator that looks at data protection, data breaches, and things like that. So it's very nice to have joined the government in this space. And the digital part of DCMS is who I worked with, but they're a completely separate government department and just interested in legislation. They need technical support from NCSC to make sure the legislation is achievable and realistic. That's where we link in.

Here are the standards we talk about in the episode that would be good to link from the description. 


EN 303 645

TS 103 701

TR 103 621

CLS (Cybersecurity Labeling Scheme)

UK Parliament Bill 3069