New guide for increased cyber security in IoT products

25. March 2022

The number of products connected to the Internet has long since exceeded the entire world population. At the same time, our increased reliance on digital technologies increases the risk of cyberattacks. Thus, the need for a new guide to help increase cybersecurity in products.

You now find televisions, electricity meters, and other products that are connected to the Internet in most Danish homes, albeit IoT products and solutions are increasingly gaining ground for both private and industrial use in numerous other locations. This means an increased risk of cyberattacks and an increased need to ensure that no one gets access to, for example, your online bank or sensitive data through your smartwatch.

Therefore, Danish Standards in collaboration with Alexandra Institute, and Force Technology along with support from Cyber Hub has issued a new guide aiming to help companies working with IoT solutions prioritise cyber security and keep up with the standards that may be helpful.

IoT products are a vulnerable target for cyberattacks
We need to increase the product safety in a broad sense, whether it is about the coffee machine at home in the kitchen or the pump control on a tanker, explains Jeppe Pilgaard Bjerre, a specialist at Force Technology and co-author of the new guide, which will help Danish companies handle cybersecurity in products:

‘This type of product is a vulnerable target for cyberattacks and, in recent years, we have seen many examples where hackers have gained access to sensitive data or the computing power in a considerable amount of such devices and thus, have been able to force large companies down to their knees.’

At the European level, there is yet no regulation of the area, but there is a wide range of standards that can help companies and organisations systematise their approach to cybersecurity in IoT products and solutions.

Despite that – according to Statistics Denmark – almost a quarter of Danish companies use IoT, there is no in-depth knowledge of the existing standards that focus on cyber security in IoT products and solutions. This is apparent from an analysis of Danish companies’ work with IoT security from Alexandra Institute.

‘We experience that many companies have a desire to document the safety of their products, due to customers’ demands for safe products. Nevertheless, customers are unable to define their requirements thus their unclear demands to the companies.

Companies are looking for a standard or some sort of best practice, however, in our experience, they often adopt the first safety-related standard they hear about, leading to some companies missing their targets for an appropriate level of security, aiming too high or too low, and leading total waste of resources, says Michael Bladt Stausholm, Senior Security Architect at Alexandra Institute.

Michael Bladt Stausholm has also been involved in preparing the new guide, which he hopes will make it easier for companies to find the standard that is relevant to their product or challenge and estimate how big a task it will be to implement the chosen standard.

A tool for small businesses
The guide will help Danish companies – especially small and medium-sized enterprises (SMEs) – to systematise the work with cyber security in products by providing an overview of the most important European and international standards in the field, insight into which standards should be used, and the value this represents.

‘The guide is aimed at anyone who makes products that can communicate with something else – whether it is for private use or B2B products. It is a good benchmark when you want to find out which standards are relevant and can help with the type of product you have, what type of company you are, and what type of issue you face concerning safety. It makes a big difference whether you are completely novel to the area or have pre-existing experience’, explains Jeppe Pilgaard Bjerre.

The purpose of the guide is to make more Danish SMEs familiar with the standards for cyber security in products thereby contributing to improving cyber security.

‘The guide can help companies working with IoT solutions to prioritise cyber security and can also help SMEs buying IoT products to define which security requirements they must demand from their suppliers’, says Berit Aadal, Senior Consultant at Dansk Standards.

She emphasises that the guide can also help improve Danish companies’ competitiveness by focusing on cyber security, placing them in a leading position in the market.

About the guide
The guide is specifically targeted at small and medium-sized enterprises and provides an overview of the most important European and international standards for cybersecurity in products.

It contains a brief description as well as an assessment of the various standards, allowing users in a relatively short time to get an overview of the standards and choose those relevant to go in-depth with.

The standards are categorized as a life cycle model and have been evaluated based on comparable criteria, which in turn are compared across each other.

The guide does not necessarily have to be read from one end to the other although it can be used as a reference work. As cybersecurity standards are constantly evolving for IoT products and solutions, few of the standards mentioned may not even be public yet.

Danish Standards, Alexandra Institute, and Force Technology have prepared the guide in collaboration with Danish companies and experts involved in cyber security in products. The work was funded by Cyber Hub as a Cyberboost project as well as the Danish Business Authority.

The guide can be downloaded free of charge in Danish Standards’ webshop:

See also: Video: Guide to Cyber Security in Products (IoT) – launch of Danish specification: