This article is more than 1 year old

EU security think tank ENISA looks for IoT security, can't find any

Proposes baseline security spec, plus stickers to prove thing-makers have complied

European network and infosec agency ENISA has taken a look at Internet of Things security, and doesn't much like what it sees.

So it's mulling a vendor's nightmare that the US and UK dared not approach: security regulation - at least the minimal regulation of testing and certification.

In a position paper published Monday, the group says there is “no level zero defined for the security and privacy of connected and smart devices,” no legal guidelines for IoT device and service trust, and no “precautionary requirements in place.”

In other words, to readers familiar with the woe The Register has chronicled over the years, it's an Internet of S**t.

Three vendors, Infineon, NXP, and STMicroelectronics, developed the position paper for ENISA, which it announced here (full PDF here).

The paper reckons IoT security needs bottom-to-top baseline requirements, from simple devices all the way up to complete systems (it cites connected cars and factories as examples of the latter).

Proposals in the paper include European Baseline Requirements for Security and Privacy (currently under development by the The Alliance for the Internet of Things Innovation, AIOTI), and the introduction of an EU “Trust Label” for IoT devices.

Also on the top-priority list:

  • Standards and certifications – as well as the baseline, this includes interop testing, mandatory reference levels for trusted IoT solutions, the scalability of security controls and more;
  • Security processes and services need to be evaluated and “adapted to IoT”.

In 2016, Dutch MP Kees Verhoeven called for EU regulation, an idea briefly pursued but abandoned by America's Federal Trade Commission earlier this year, and passed over by the UK's Ofcom in 2015. ®

More about

More about

More about


Send us news

Other stories you might like