Most recent
DS/ETSI EN 303 645 V2.1.1:2020
CYBER; Cyber Security for Consumer Internet of Things: Baseline Requirements
The present document specifies high-level provisions for the security of consumer IoT devices, that are connected to*network infrastructure (such as the Internet or home network) and their relationships to associated services. These*relationships encompass both network communications and handling of personal data. A non-exhaustive list of*examples of consumer IoT devices include:*• connected children's toys and baby monitors;*• connected safety-relevant products such as smoke detectors and door locks;*• IoT base stations and hubs to which multiple devices connect;*• smart cameras, TVs and speakers;*• wearable health trackers;*• connected home automation and alarm systems, especially their gateways and hubs;*• connected appliances, such as washing machines and fridges; and*• smart home assistants.*Moreover, the present document addresses constrained devices, such as sensors and actuators. Such devices typically*have limited ability to process, communicate or store data, or limited user interfaces, which affects security*considerations.*EXAMPLE: Window contact sensors, flood sensors and energy switches are typically constrained devices.*The present document provides basic guidance through examples and explanatory text for organizations involved in the*development and manufacturing of consumer IoT on how to implement those provisions. Table B.1 provides a schema*for the reader to give information about the implementation of the provisions.*Applicability of these provisions depends on risk analysis; this is performed by the device manufacturer and/or other*relevant entities and is out of scope of the present document. For certain use cases and following risk assessment, it can*be appropriate to apply additional provisions than those contained within the present document. The present document*provides a foundation level of security for such higher assurance level use cases.*IoT products primarily intended to be used in manufacturing, healthcare or for other industrial applications are not in*scope of the present document.*The present document has been developed primarily to help protect consumers, however, other users of consumer IoT*equally benefit from the implementation of the provisions set out here.*Annex A (informative) of the present document has been included to provide context to main clause 4 (normative).*Annex A contains examples of device and reference architectures, an example model of device states including data*storage for each state and additional description of key stakeholders.
Content Provider
Danish Standards [ds]
