12
min reading time
The rapid digitization of business operations and the reliance on technology have created a vast attack surface for cyber threats. With the widespread use of interconnected systems, cloud computing, and the Internet of Things (IoT), organizations are more vulnerable to cyberattacks, data breaches, and other malicious activities.
Wireless devices have become integral to our daily lives, from smartphones and tablets to smart home devices and Internet of Things (IoT) devices. These devices connect to the internet and often store and transfer sensitive information or even have access to critical systems, therefore their security is paramount to protecting individuals, organizations, and national infrastructure from cyber threats. With the growing adoption of wireless technologies, the attack surface for cybercriminals has expanded, making it crucial to implement robust security measures. Cybercriminals are becoming more sophisticated, employing advanced techniques like ransomware, phishing, and social engineering to exploit vulnerabilities. Consumer IoT devices cybersecurity involves safeguarding these devices from unauthorized access, data breaches, malware attacks, and other potential vulnerabilities. Failure to do so can lead to compromised personal information, financial loss, and even compromise critical infrastructure.
The Radio Equipment Directive (RED) was introduced in 2014 to establish a regulatory framework for placing any kind of radio equipment on the EU market. Radio equipment can be a variety of goods, from a simple small handheld radio to a complex system used in satellite telecommunication stations for instance. The RED Delegated Act (RED DA) will affect all companies producing radio equipment to be sold on the EU market and states that manufacturers are responsible for cybersecurity throughout the entire lifecycle of the device. While the harmonized standards are not yet published, preparation for compliance can begin now. The delegated act came into force on February 1, 2022, and provided a longer transition period for device manufacturers to get prepared by 1st August 2024. Although the EC may prolong this deadline until August 1, 2025, it is never too early for manufacturers to learn about the cybersecurity requirements for their products. The RED directive aims to establish a certain level of cybersecurity assurance for wireless devices by setting essential requirements (eg. encryption, secure software updates) that manufacturers must comply with before their products can be sold in the EU market. By enforcing such regulations, the Radio Equipment Directive promotes a more secure ecosystem of wireless devices, reducing the risk of cyber threats and also ensuring that manufacturers are accountable for the security of their products, ultimately benefiting consumers and businesses alike.
First of all, I would say telecommunications, since this industry includes mobile phones, smartphones, tablets, wireless modems, and other communication devices, so devices that are used by practically everyone. Another significant area is the healthcare industry. Nowadays, several medical devices use wireless connectivity (e.g. Wi-Fi, Bluetooth, radio frequency), such as remote monitoring systems, wireless medical sensors, and also wearable IoMT (internet of medical things) devices for tracking and transmitting patient data to a remote server to establish a diagnosis or monitor the patient’s health conditions. Many other industries will be affected by the new cybersecurity requirements of the RED. Based on our 10+ years of experience in information security, we have seen companies struggling to understand the new regulations and what it means for the whole organization. The success and effectiveness of a data security testing project always depend on the preparedness of the parties involved. We understand these companies' needs and are ready to lend a helping hand to those who want to be among the first to prepare for the challenges ahead of them. Trying to get a certificate without a dedicated and well-prepared team may take 2 or 3 times longer than expected. We would like to encourage all of these companies to invest into this topic right in time and start with an assessment of where they are at the moment and improvements must be made for compliance. With a professional support team, like CCLab the following steps could be followed before it comes to the actual testing and evaluation project:
- Readiness assessment to provide reliable information on where the company and your products are in terms of fulfilling the relevant requirements.
- Training to make the team aware, so that they can objectively assess where they are and understand what they have to defend against.
- Secure coding, security by design, DevSecOps training. Secure coding training is usually a lot of fun, and developers and IT professionals really enjoy it.
- Education on some basic (baseline) standards and e.g. to test in a hackathon whether the team and the product would meet the requirements for compliance. We are also happy to help organize the above training and hackathons for your team.
- Involvement of a consultant at an early stage, who understands the exact regulatory side and can assess the maturity of the organization, and can make suggestions as to where the processes, team, and tools need to be strengthened in order to produce a secure product.
With the right partner and some of the above steps, you can ensure the whole process ensures success for the whole team and even becomes fun to you developers, rather than becoming a long and exhausting nightmare for your team and your management. As an example from the past, a first cybersecurity evaluation project can be done within 2-3 months instead of 20, after the necessary steps are taken before.
CCLab is ready to help meet existing cybersecurity standards that are likely to form the basis of future harmonized standards of the RED Delegated Act, such as the ETSI EN 303 645 consumer IoT cybersecurity standard and the ISA/IEC 62443-4-2 standard for the industrial components. Same compliance with these relevant standards can also help demonstrate compliance with the relevant RED requirements. As consumer IoT devices and certain types of ICS equipment or medical devices may also be subject to RED, adherence to appropriate cybersecurity standards and practices is essential to compliance. At CCLab, we provide consulting and testing services for both consumer IoT and medical devices and industrial IoT components and after a successful evaluation, we issue a declaration of conformity or certificate.
As the number of connected devices continues to grow exponentially, so does the potential attack surface for cybercriminals. The regulatory landscape for connected device cybersecurity is likely to become more comprehensive and stringent in the future. Luckily more and more government and regulatory bodies are recognizing this and taking steps to address the associated risks so we can expect further development and implementation of regulations specific to connected device cybersecurity. These regulations might require manufacturers to adhere to specific security standards, conduct regular vulnerability assessments, and provide secure software updates throughout the lifecycle of their products. In the EU the European Commission (EC) has developed and implemented regulations to ensure the security and privacy of connected devices. Besides that, the Cyber Resilience Act (CRA), i.e. the EU cybersecurity regulation, proposed by the EC on September 15, 2022, in order to improve cybersecurity and cyber resistance, is an important and forward-looking step forward. This regulation applies to products with digital elements within the EU, mainly hardware and software, but it also includes products that have a direct or indirect data connection to the network. But there are also examples of legal regulation in other countries. In the USA the FTC and the NIST, in the UK the DCMS and the ICO, in Australia, the ACSC, and the OAIC provide guidance and resources for securing connected devices and enforcing data protection regulations. Additionally, as the concept of IoT expands to include critical infrastructure and industries such as healthcare, energy, and transportation, regulations may emerge to ensure the security of these sectors. IEC 62443, the standard for the protection of Industrial Control Systems is a very important global standard for IIoT, practical sectoral additions are still needed here, and it would also be an important international step forward if the IEC adopted ETSI 303 645 the cybersecurity standard for IoT devices. Overall, the future of connected device cybersecurity regulation is likely to focus on proactive measures to mitigate risks, foster collaboration between industry and regulators, and establish frameworks that adapt to the rapidly evolving threat landscape.
It can never be emphasized enough that cybersecurity is crucial for protecting sensitive business information, intellectual property, and personal and customer data. Breaches can lead to significant financial losses, reputational damage, and legal liabilities, but fortunately, more and more industry players, and manufacturers are recognizing this problem and taking it seriously. I would like to emphasize the importance of collaboration between cybersecurity professionals, manufacturers, regulators, and consumers. By working together, we can ensure a more secure digital environment for everyone. The burden of cyber awareness must be taken off the end-users. Ideally, there would only be regulations on the market and products and services that do not pose a threat and cannot be misused. Certainly, individuals also need to learn about cybersecurity best practices and only make purchasing decisions after getting the necessary information about the wireless devices first. After all the emphasis should be on organizations and governments making cybersecurity a priority investments in research and development and products should only be released on the market after the necessary steps are taken. Education on cybersecurity is equally important to create a future where connected devices are secure, reliable, and trustworthy.
----------------------------------------------------------------------------------------
As consumer IoT devices and certain types of ICS equipment may fall under the scope of the RED, adherence to relevant cybersecurity standards and practices is essential for compliance. CCLab is ready to help you comply with the existing cybersecurity standards that are likely to be the basis for the future harmonized standards of the RED Delegated Act, such as
> IoT cybersecurity standard ETSI EN 303 645
> ISA/IEC 62443-4-2 standard for Industrial Control System Cybersecurity
We provide consultation services, training, and organizing hackathons for manufacturers who would like to get prepared right in time. We are already providing actual testing services for both Consumer IoT devices and Industrial IoT components that comply with the RED directive. Our testing services will be enhanced in a short term to accelerate and maximize the efficiency of these projects for those companies that has a wide range of products that need to be tested against baseline cybersecurity requirements for instance. After the successful evaluation, a statement of conformity or certification will be provided as evidence. Together with our partners within QIMA Group, we are offering a one-stop-shop solution to responsible manufacturers.
GET A FREE CONSULTATION HERE
Read and learn more about the Radio Equipment Directive (RED), download our free material now.
Download our ETSI EN 303 635 infographics today and learn about the product certification process for this consumer IoT device cybersecurity standard.
Learn everything you need to know for a successful Common Criteria certification project. Save costs and effort with your checklist.
As cyber threats become more sophisticated, businesses are compelled to implement rigorous protection strategies to stay compliant and secureCertification labs, like CCLab, play a crucial role in supporting businesses with expert testing, assessment and comprehensive compliance services, and specialized training. These labs offer services ranging from security audits to penetration testing, ensuring businesses remain resilient against evolving cyber threats while meeting regulatory standards. This article explores the indispensable role of certification labs, highlighting how they enhance cybersecurity, ensure compliance, and support a safer digital landscape.
9
min reading time
In an era where digital threats grow in complexity and frequency, cybersecurity is no longer a secondary consideration but an essential part of manufacturing operations. Compliance with security standards offers manufacturers a structured approach to managing the growing risks of digital threats and securely handling sensitive data. Compliance also helps companies meet industry regulations, protect intellectual property, and avoid potentially devastating financial losses.
8
min reading time
The Industrial Internet of Things (IIoT) has transformed the manufacturing industry, enabling real-time monitoring, improved operational efficiency, and better decision-making processes. IIoT systems integrate industrial equipment with advanced data analytics and cloud connectivity, creating smarter, more autonomous industrial environments. However, the rise of IIoT systems has also introduced significant cybersecurity challenges. As more devices connect to networks, vulnerabilities and threats in manufacturing systems increase, requiring robust security measures to protect sensitive data and ensure operational continuity.
7
min reading time