cetecom advanced
  • CERT
  • Accreditations
  • Newsletter
  • Jobs
  • Contact
cetecom advanced Product Testing IoT Cybersecurity Testing
The necessity of IoT Security illustrated by a smart home control on a tablet

IoT Cybersecurity Testing

Security for all devices
in the Internet of Things

IoT cybersecurity audits target the security of all devices on the Internet of Things (IoT). These devices include sensors and actuators as well as back-end connections and optionally communicate with gateways and smartphone apps – security measures to protect against threats should be set up accordingly.

Why IoT cybersecurity?

Digital networking in particular makes applications and components of mobile or static IoT devices vulnerable to attacks. To access a networked device, three main targets are attacked: the device itself, the network and the infrastructure (app, cloud). However, the security of the networked environment, for example in industry, can prevent such external access or IoT attacks. Elements of holistic IoT cybersecurity include:

  • Secure application
  • Robust design
  • Trustworthy handling of private data
  • Update/upgrade of firmware and software
  • Security against attacks on the data validity and authenticity of the communication partners

Holistic reliability: IoT cybersecurity testing at cetecom advanced

A selection of different icons, man in the background clicks on the cloud security symbol

With our cetecom advanced IoT cybersecurity services, we verify the current security status of your networked devices – an important milestone in the market launch of your products. Benefit from our many years of experience in the regulatory certification of products with wireless technologies. When it comes to Internet of Things cybersecurity, cetecom advanced is your partner of choice.

Testing in accordance with CEN/CENELEC EN 18031-1, EN 18031-2 and EN 18031-3 and certification in accordance with
RED Article 3.3 (d), (e) and (f)

The standards were developed by CEN/CLC/JTC 13/WG 8 and consist of the following parts:

  • EN 18031-1:2024 – Common security requirements for radio equipment – Part 1: Internet connected radio equipment
  • EN 18031-2:2024 – Common security requirements for radio equipment – Part 2: radio equipment processing data, namely Internet connected radio equipment, childcare radio equipment, toys radio equipment and wearable radio equipment
  • EN 18031-3:2024 – Common security requirements for radio equipment – Part 3: Internet connected radio equipment processing virtual money or monetary value

The assignment to the essential requirements of the Radio Equipment Directive (RED) Article 3.3 (d), (e) and (f) is as follows:

Essential requirement

EN 18031-1

RED 3.3 (d)

EN 18031-2

RED 3.3 (e)

EN 18031-3

RED 3.3 (f)
Security asset

X

X

X
Network asset

X

Privacy asset

X

Financial asset

X

 

An overview of the relevant safety requirements is shown below:

Abbreviation

Mechanism

EN 18031-1

EN 18031-2

EN 18031-3

ACM

 Access control mechanism

X

X

X

AUM

 Authentication mechanism

X

X

X

SUM

 Secure update mechanism

X

X

X

SSM

 Secure storage mechanism

X

X

X

SCM

 Secure communication mechanism

X

X

X

RLM

 Resilience mechanism

X

LGM

 Logging mechanism

X

X

NMM

 Network monitoring mechanism

X

DLM

 Deletion mechanism

X

TCM

 Traffic control mechanism

X

UNM

 User notification mechanism

X

CCK

 Confidential cryptographic keys

X

X

X

GEC

 General equipment capabilities

X

X

X

CRY

 Cryptography

X

X

X

 

These cybersecurity tests in accordance with CEN/CENELEC EN 18031-1, EN 18031-2 and EN 18031-3 can be carried out in the cetecom advanced test laboratory. We are happy to help you on the path to cybersecurity for your devices.

Our notified bodies will also be happy to assist you with the certification of your radio equipment in accordance with RED Article 3.3 (d), (e) and (f).

Do you have any questions about EN 18031-x? Then please do not hesitate to contact us. We look forward to hearing from you: mail@cetecomadvanced.com / Tel. +49 681 598 0

Cybersecurity testing according to the Radio Equipment Directive
- Regulation (EU) 2022/30, Article 3.3 (d), (e) and (f)

The Radio Equipment Directive (RED Directive) 2014/53/EU sets the legal framework for all products that use radio technologies. The main defined requirements are health and safety, electromagnetic compatibility and efficient use of radio frequencies. Manufacturers and suppliers of these products must demonstrate compliance with RED in the EU market by providing a type examination based on technical documentation (TD) or a declaration of conformity (DoC) and CE marking.

Since 2022, the topic of IoT cybersecurity has also been defined in the RED and thus provides manufacturers with specifications as to which device security requirements must be taken into account in the future:

  • In January 2022, the Delegated Regulation EU 2022/30 was published in the Official Journal of the EU. This regulation supplements parts of Article 3.3 of the RED and thus becomes relevant for manufacturers of products with wireless technologies who want to place their products on the EU market.
  • Delegated Regulation EU 2022/30 defines requirements in the area of cybersecurity for products covered by the RED. This relates in particular to letters d) to f) of Article 3.3:
    • “d) the radio equipment does not interfere with the network or its operation, nor does it misuse network resources, causing an unacceptable degradation of service
    • e) the radio equipment contains security measures to ensure that the personal data and privacy of the user and the subscriber are protected
    • f) the radio equipment supports certain functions that ensure protection against fraud.”

Delegated Regulation (EU) 2022/30 – Radio equipment types

Essential Requirements Applicable Radio Equipment NOT Applicable Radio Equipment
RED Article 3.3 point (d)
(does not harm the network)		 any internet-connected radio equipment
(directly or via any other equipment)
  • medical devices (Regulation (EU) 2017/745)
  • in vitro diagnostic medical devices (Regulation (EU) 2017/746)
RED Article 3.3 point (e)
(personal data and privacy are protected)		 capable of processing personal data, traffic data or location data

  • childcare
  • toys (Directive 2009/48/EC)
  • wearables
  • other internet-connected radio equipment
  • medical devices (Regulation (EU) 2017/745)
  • in vitro diagnostic medical devices (Regulation (EU) 2017/746)
  • civil aviation (Regulation (EU) 2018/1139)
  • motor vehicles, trailers, systems, components and STUs (Regulation (EU) 2019/2144)
  • electronic road toll systems (Directive (EU) 2019/520)
RED Article 3.3 point (f)
(protection from fraud)		 any internet-connected radio equipment to transfer money, monetary value or virtual currency (Directive (EU) 2019/713)

  • payment

 

Originally, the new requirements for sections d) to f) of Article 3.3 were to come into force as early as August 1,2024 and thus become mandatory for affected manufacturers in a timely manner. However, the European Commission has now issued an extension of the transition period, so that the new cybersecurity requirements will come into force on August 1, 2025. Manufacturers must test their products against the new cybersecurity requirements and declare compliance with Delegated Regulation EU 2022/30. This affects both devices that are newly approved and devices that enter the EU market after August 1, 2025.

We test your products according to the cybersecurity requirements of the RED and support you in the declaration of conformity. Secure your devices now for the time after August 1, 2025 – with our expertise in the field of IoT device security, we make sure your devices are prepared for future requirements and regulations.

Do you have any questions about IoT cybersecurity tests according to the Radio Equipment Directive (RED)?
Contact us, we look forward to your inquiry: mail@cetecomadvanced.com / Phone: +49 2054 9519 0

IoT Cybersecurity testing according to
ETSI EN 303 645 and ETSI TS 103 701

ETSI EN 303 645 defines essential security requirements for IoT devices intended for consumers. Thanks to its universal focus, the standard can cover a wide range of IoT devices, from fitness trackers to smart fridges. This standard is primarily aimed at the manufacturers of these devices. These have the option of voluntarily integrating the requirements during the development process (security by design) and implementing them in the manufacture of their products:

ETSI EN 303 645 – Essential requirements

  • Defines basic cybersecurity requirements for consumer IoT devices, but does not include testing or testing procedures
  • Covers all types of consumer IoT devices
  • Includes 33 mandatory requirements and 35 recommendations, including:
    • No universal default passwords
    • Implement a system to manage security vulnerability reports
    • Keeping software up to date
    • Securely storing sensitive security parameters
    • Communicate securely
    • Ensure software integrity
    • Ensuring the security of personal data
    • Make systems resilient to failures
    • Review system telemetry data
    • Easy deletion of user data by the user
    • Ease of installation and maintenance of equipment
    • Validation of input data
    • Data protection requirements
  • Is not suitable to become a harmonized standard under the RED (Radio Equipment Directive)
  • Harmonized standards under RED must contain requirements that are verifiable beyond reasonable doubt (unambiguous test results: yes or no). However, ETSI EN 303 645 contains several result-oriented provisions (e.g. implementation of cryptographic best practices) that are not testable in this way.

Another document that can be used for IoT cybersecurity testing is ETSI TS 103 701. The specification helps manufacturers to design networked devices securely from the outset (security by design). At the same time, it acts as an internationally recognized benchmark for assessing minimum cybersecurity requirements for devices. The specification describes how conformance can be defined and comprehensively tested in accordance with the ETSI EN 303 645 security standard.

ETSI TS 103 701 – Conformity assessment of basic requirements

  • Describes how to assess the compliance of consumer IoT devices with ETSI EN 303 645
  • Contains 109 tests

ETSI TS 103 701 ensures that test results of the security properties of IoT devices are comparable. This enables experienced IoT experts to make accurate safety assessments. Manufacturers have the option of using the test specification for self-testing or having their products evaluated by a testing body.

The cybersecurity tests according to ETSI EN 303 645 and ETSI TS 103 701 can be performed in the cetecom advanced laboratories. We are happy to help you on the way to cyber security for your devices.

Contact us, we look forward to your inquiry: mail@cetecomadvanced.com

CTIA Cybersecurity Certification Test Plan for IoT Devices

ctia – everything wireless

Our laboratories in Germany and the USA have been recognized by CTIA as Authorized Test Laboratory (ATL) for the CTIA Test Plan for IoT devices.

The CTIA Cybersecurity Test Plan defines test cases that must be performed with the device in an Authorized Test Laboratory (ATL) to obtain CTIA Cybersecurity certification. The certification is defined for two levels of security. The first level (for consumer devices) tests basic security features of IoT devices, while the second level (for enterprise devices) tests security elements for devices with increasing complexity and manageability.

Cybersecurity for IoT devices in wireless networks

  • The program was developed with the support of wireless network operators.
  • Creates an industry-wide best practice for IoT security in wireless networks.
  • First cybersecurity program of its kind with support from wireless operators, OEMs and labs.
  • Test plan is continuously updated by the Cybersecurity Working Group.
  • Test plan version 2.1.1 has been active since August 2023 (contains 117 test cases).

Main requirements of the certification program

  • Testing must be performed in a CTIA authorized test lab (ATL).
  • IoT devices must support LTE, 5G or WLAN (GSM, CDMA and UMTS are not considered).
  • Wireless Personal Area Network technologies (ZigBee, Bluetooth, Bluetooth Low Energy) are likely to be added in the future.

Based on the cetecom advanced test report, you will receive an IoT cybersecurity certification from CTIA according to the latest CTIA requirements.

The CyberSecurity Certified (CSC) Label

CSC 'Cybersecurity Certified' label

Cybersecurity is becoming an integral part of product or device security and can have a positive signal effect on product sales with clear legal requirements and independent cybersecurity tests. A first step has been taken – a Europe-wide security certificate is offered by the new test mark: the CyberSecurity Certified (CSC) label.

As part of this three-stage approval process, we and our partner TÜV NORD are focusing on meeting the fundamental requirements for secure development and operation throughout the product’s lifecycle. These requirements are largely based on the basic cybersecurity requirements for consumer IoT devices according to ETSI EN 303 645.

The following aspects of cybersecurity are considered as part of the device certification process:

  • Secure product development and documentation.
  • Internal cybersecurity audits, e.g. nmap scan, vulnerability scan, static and dynamic code analysis, input validation.
  • Secure operations, related to authentication
  • Password management
  • Data storage
  • Secure product lifecycle, related to
    • Update mechanism
    • Security update information
    • Reset to factory settings
    • Patch management
    • Vulnerability management
    • Incident management
    • Change and risk management

Based on the cetecom advanced test report, you will receive the CyberSecurity Certified (CSC) label
from TÜV NORD and certification according to the latest CSC cybersecurity requirements.

Further Topics

Bluetooth®
Bluetooth SIG Certification
Black car inside a measuring laboratory.
Regulatory Radio Testing
cetecom advanced expert in front of two monitors on which he manages product certifications.
Product Certification

News on the topic of IoT & cybersecurity

4. February 2025

RED Cybersecurity Standard EN 18031 harmonized
State-of-the-art cybersecurity for IoT devices and the surrounding IT networks
Cybersecurity | EN 18031
28. February 2023

cetecom advanced earns Google Android Biometric Security Accreditation
an android smartphone being unlocked via fingerprint sensor
biometric sensors | Google | Security | Smart Card
12. January 2023

cetecom advanced successfully passes DAkkS ISO/IEC 17025 audit for cybersecurity standards
Circular, semi-transparent collection of digital symbols in a cybersecurity context, person with white shirt tapping on cloud symbol in the foreground
Cybersecurity
3. February 2022

New cybersecurity requirements for market approval in the EU
State-of-the-art cybersecurity for IoT devices and the surrounding IT networks
Cybersecurity | Radio Equipment Directive | RED
28. September 2021

Updated CTIA Cybersecurity Certification Test Plan for IoT Devices version 1.2.3 released
CTIA Certification
Certification | CTIA | Cybersecurity | IT security
20. September 2021

CyberSecurity Certified (CSC) as Europe-wide security certificate for cybersecurity
State-of-the-art cybersecurity for IoT devices and the surrounding IT networks
CSC | Cybersecurity | Cybersecurity Certified
22. February 2021

WTS-80 – Fast tester of radiation performance and of unwanted radiation
Mobile radio laboratory WTS-80
Cellular | IoT | Testbench | WTS-80
7. January 2021

Get access to the Verizon 5G network with CETECOM
OTA testing unit
5G | Cellular | IoT | OTA | USA | Verizon
19. October 2020

IoT Cybersecurity tests according to version 1.2 of the CTIA test plan
ctia – everything wireless
CATL | CTIA | Cybersecurity | IoT | USA
21. April 2020

CETECOM recognized as CTIA Authorized Test Laboratory (CATL) for IoT Cybersecurity
ctia - everything wireless
CATL | CTIA | Cybersecurity | IoT
4. April 2018

CAT M1 and NB IoT as the next generation of IoT connectivity
Earth surrounded by a complex computer network of glowing routes connecting nodes with bright lines: everything is connected in the Internet of Things. Global business. Planet floats in the blue outer space with a starfield and rising sun, with shining beams of light. Dark blue background.
IoT
Stay up to date.
The cetecom advanced newsletter is sent out about once a month. No constant follow-up mails.
Only selected content from our experts.