ETSI EN 303 645
Developed by ETSI, EN 303 645 is the leading global security baseline for consumer IoT products, influencing regulations across Europe, the UK, and several other regions.
The Thirteen Pillars of IoT Security
ETSI EN 303 645 was designed to mitigate the most common attack vectors used against smart home devices. It outlines 13 provisions that serve as a practical checklist for cyber resilience:
- No Universal Default Passwords
- Vulnerability Disclosure Policy
- Keep Software Updated
- Secure Storage of Sensitive Data
- Secure Communication
- Minimize Exposed Attack Surfaces
- Ensure Software Integrity
- Ensure Personal Data is Secure
- Make Systems Resilient to Outages
- Examine System Telemetry Data
- Easy Deletion of Personal Data
- Easy Installation and Maintenance
- Validate Input Data
Data Protection and Minimization
EN 303 645 requires the protection of sensitive data both when stored on the device and when transmitted over networks. This necessitates the use of industry-standard cryptography and secure transport protocols like TLS.
Beyond data, the standard focuses on minimizing the attack surface; debug interfaces (like JTAG or UART) used during manufacturing must be disabled or physically secured before the product ships. Unused network ports and services must be closed by default, ensuring that the device exposes only the minimum necessary functionality to the outside world.