Mehr IoT-Sicherheit in der EU

Noch immer wird bei internetfähigen Geräten kaum auf IT-Sicherheit geachtet. Mit dem Cybersecurity Act will die EU es nun Elektronik-Hersteller ermöglichen, internetfähige Geräte – kurz IoT – einem Zertifizierungsverfahren zu unterziehen. In diesem Papier erklärt Jan-Peter Kleinhans, warum die geplante Produkt-Zertifizierung allein aber nicht ausreichen wird, um für mehr IT-Sicherheit im europäischen Markt zu sorgen. Stattdessen sollte zusätzlich ein Informationssystem aufgebaut werden, in dem Daten zur Sicherheit von IoT-Produkten zwischen Unternehmen, Regulierern, dem Handel sowie Verbraucher:innen ausgetauscht und ständig aktualisiert werden können. In dem Papier wird auch beschrieben, wie sich ein solches System aufbauen ließe.

Die Zusammenfassung des Papiers in englisch:

Why pre-market certification is not enough and how to fix it

Just looking at Internet routers it becomes clear that the Internet of Things (IoT) has a severe IT security problem: global botnets consisting of hacked commercial off-the-shelf (COTS) Internet routers are being used for industrial espionage, to mine cryptocurrencies, to steal online banking credentials, for denial-of-service attacks against websites or to attack critical Internet infrastructure. The increasing ubiquity of IoT devices combined with the fact that the market fails to produce reasonably trustworthy and secure IoT devices was reason enough for the European Union to start regulating this field. The EU Cybersecurity Act (CSA) – which is still being negotiated – heavily relies on the interplay between standardization, conformity assessment and market surveillance: consortia consisting of different stakeholders develop technical standards (cybersecurity certification schemes) and manufacturers can use these schemes to certify their devices and thus prove conformity. Product safety is regulated in a similar way since decades in the EU. The achilles heel of this approach is the market surveillance and currently the CSA fails to improve and strengthen this aspect: if regulators allow manufacturers to self-assess their conformity to defined IT security requirements (certification schemes), market surveillance needs the resources and knowledge to identify false claims and sanction bad actors.

Because of its reliance on certification and conformity assessment, the CSA also struggles with the fact that one-time, pre-market certification does not fit well in today’s continuous software development realities: The manufacturer of an IoT device with software-defined functionality, has a continuous obligation towards the user to keep this device safe and secure. In order to estimate if and to what extent the manufacturer meets this obligation, users, market surveillance and other stakeholders need up-to-date, accessible information about the current IT security of the device. To this end, the paper proposes a minimal set of supplementary information that should be easily accessible in order to estimate how much the manufacturer takes care of their devices after the point of sale. This type of information could be made available in several different ways: (1) a central database run by the European Commission to which manufacturers send their data or (2) a decentralized system in which it is the manufacturer’s responsibility to maintain a “living document” throughout the product lifetime. Both systems are currently deployed or under development for different areas of regulation. This type of up-to-date information about the security of certified products on the EU Single Market would benefit a variety of stakeholders and significantly strengthen the CSA’s proposed certification framework.