Finland introduces cybersecurity label for ‘safe’ IoT products

The simple, visual symbol can help consumers buy products that meet basic standards and stem the in-flow of low-quality, vulnerable devices.
27 November 2019

The CE marking on a USB 2 computer card for a Windows XP computer. Source: Shutterstock

If you’re based in (or have visited) any country in the European Economic Area (EEA), products branded with the CE marking will be a familiar sight. 

Since 1985, this subtle stamp has been present on anything from toys, machinery, gas-cookers, medical devices— the list goes on. Its aim is to indicate conformity with health, safety, and environmental protection standards. It’s a visible assurance that, whatever the product is, it has met a set of officially-issued standards.

As we move into an age of connected devices, however, where appliances are suddenly networked, the goalposts for what we should consider safe have widened to include digital threats. 

Consumers’ homes today have been flooded with connected devices— whether it’s a coffee machine you start with an app, or internet-connected security camera— which while may not seemingly present bountiful targets for hackers, can provide a gateway for breaking into the entire network. 

These devices themselves can also be collecting sensitive data on their users, which may be fed back to service providers in order to help enhance their products. 

According to Statista, consumer electronics will account for 63 percent of all installed IoT (Internet of Things) units in 2020. Manufacturing these devices is therefore lucrative and, as demand climbs further, consumers are increasingly wont to purchase cheaper, low-end devices for a wider range of applications. 

Of course, the problem with this is that in-built cybersecurity measures are unlikely to be of a high standard, and consumers leave their entire networks vulnerable as a result. 

With all that in mind, and somewhat of a forward-thinking leader in many regards— but increasingly when it comes to building a society based on technology— Finland has become the first European country to certify safe smart devices. Much like the CE label we mentioned earlier, products that meet the required standard are awarded a ‘Cybersecurity label’. 

Launched by the Finnish Transport and Communications Agency Traficom, the label guarantees to consumers that the labeled devices have basic information security features. The Cybersecurity label can be awarded to networking smart devices if the devices meet the certification criteria, which are based on EN 303 645, a draft standard issued with the European standards organization ETSI, based on the specific needs posed by security threats to consumer devices. 

With the label, Traficom aims to raise consumer awareness of information security and the safe use of connected devices. When smart TVs, smartphones, toys and other connected devices in the home network are secure, users can avoid the risk of data abuse, hacking or data leaks, and the result may deter attackers from targeting consumer devices. 

The cybersecurity label or ‘Tietoturvamerkki’ mark. Source: Traficom

According to Traficom’s own research, a key finding that every other Finnish person is concerned about the cybersecurity of smart devices, while two in three found it very important that there was easy-to-access information available on that device’s security. 

“The security level of devices in the market varies, and until now there has been no easy way for consumers to know which products are safe and which are not,” said Jarkko Saarimäki, Director at National Cyber Security Centre Finland (NCSC-FI) at Traficom. 

The Cybersecurity label began development towards the end of last year and was realized in a project led by the NCSC-FI in collaboration Cozify Oy, DNA Plc and Polar Electro Oy.

The first labels have been awarded to products sold by these companies, which include home automation, smart heating, and fitness trackers respectively. 

The security issues associated with consumer smart devices is not one that’s being overlooked elsewhere, but it remains a challenge. Finland is the first country that has granted certificates to devices that pass a cybersecurity threshold, however, the label requirements are also designed to comply with a wide range of national and international requirements and recommendations— that can ensure that the labeling process can also be applied in other environments at international level. 

These labels serve as a clear signpost to customers, and incentive for vendors to strive towards basic but uniform cybersecurity standards as a result— the impact that small change could make, should not be underestimated.