STE WILLIAMS

European network and infosec agency ENISA has taken a look at Internet of Things security, and doesn’t much like what it sees.

So it’s mulling a vendor’s nightmare that the US and UK dared not approach: security regulation – at least the minimal regulation of testing and certification.

In a position paper published Monday, the group says there is “no level zero defined for the security and privacy of connected and smart devices,” no legal guidelines for IoT device and service trust, and no “precautionary requirements in place.”

In other words, to readers familiar with the woe The Register has chronicled over the years, it’s an Internet of S**t.

Three vendors, Infineon, NXP, and STMicroelectronics, developed the position paper for ENISA, which it announced here (full PDF here).

The paper reckons IoT security needs bottom-to-top baseline requirements, from simple devices all the way up to complete systems (it cites connected cars and factors as examples of the latter).

Proposals in the paper include European Baseline Requirements for Security and Privacy (currently under development by the The Alliance for the Internet of Things Innovation, AIOTI), and the introduction of an EU “Trust Label” for IoT devices.

Also on the top-priority list:

In 2016, Dutch MP Kees Verhoeven called for EU regulation, an idea briefly pursued but abandoned by America’s Federal Trade Commission earlier this year, and passed over by the UK’s Ofcom in 2015. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/05/23/enisa_proposes_internet_of_things_security_standards/