‘Buy smart, not blind’

Finland has launched a cybersecurity labelling system to inform consumers of the IoT products that meet digital safety standards.

The move is aimed at promoting secure-by-default IoT product lines and spreading awareness of the dangers associated with increased connectivity, said the Finnish Transport and Communications Agency, Traficom, making the announcement yesterday (November 26).

Seal of approval

The labelling initiative, which began development late last year, will see a stamp placed on every smart device that adheres to Finland’s cybersecurity safety guidelines.

A website is also available for vendors to become certified with the security badge, and for consumers to make informed purchases.

The implementation of the consumer safety initiative has been led by the National Cyber Security Centre Finland (NCSC-FI) and industry partners such as telecommunications firm DNA and smart device manufacturers Cozify and Polar Electro.

“The security level of devices in the market varies, and until now there has been no easy way for consumers to know which products are safe and which are not,” said Jarkko Saarimäki, NCSC-FI director at Traficom.

“The cybersecurity label… is a tool that makes purchase decisions easier by helping consumers identify devices that are sufficiently secure.”

IoT security essentials

The NCSC-FI was responsible for testing products and developing criteria for security certification, currently based on EN 303 645 (PDF) – security specifications for consumer IoT devices issued by European standards agency, ETSI.

Standards of smart devices should include safe default settings, access control, and secure data transfer and storage, to name a few.

“We hope that as many manufacturers as possible want to certify their products,” Saarimäki said.

“Our goal is that in a few years most home electronics categories will include products with the cybersecurity label.”

Awareness campaign

In the first half of 2019, Finnish security firm F-Secure found unpatched IoT devices were increasingly targeted in malware campaigns, The Daily Swig reported.

A lack of secure-by-default features – such as reliance on factory-set passwords – was said to be a continuing concern among both consumer and enterprise-grade IoT products.

“We are hoping that consumers will learn to recognise the label and actively look for it when selecting products and services,” Saarimäki said.

“At the same time, we will contribute to the increased availability of secure devices in the market.”

Calls for IoT regulation have spread throughout the globe, as consumers become more reliant on smart devices.

The UK published a voluntary code of practice for IoT manufacturers to follow earlier this year, for example.

According to Traficom, Finland is the first European country to disseminate security certificates on IoT products.

RELATED Finland stresses importance of global cybersecurity cooperation