Strengthening IoT Cybersecurity: Insights from the TIC Council Cybersecurity Hackathons

18/03/2025

TIC Council is happy to announce the publication of its latest White Paper, TIC Council Cybersecurity Hackathons – Strengthening ETSI EN 303 645. 

TIC Council’s Product Testing and Certification Committee (PTCC) organised two Cybersecurity Hackathons in 2024—one in Singapore (July) and another in Málaga (October). Six TIC Council members’ laboratories—TÜV SÜD, DEKRA, UL Solutions, Bureau Veritas, TÜV Rheinland, and SGS— participated, joined by over 20 cybersecurity experts from around the world. Together, they collaborated on testing the requirements of ETSI EN 303 645 (standard) and TS 103 701 (technical specification), exchanging insights and addressing challenges related to applying cybersecurity standards in real-world settings. 

The Importance of Cybersecurity in IoT 

With the rapid expansion of connected devices, ensuring the security of consumer IoT products has become a priority for regulators and manufacturers. While ETSI EN 303 645 serves as a globally recognised standard for IoT security, implementing its requirements remains a challenge for many manufacturers. The TIC Council cybersecurity hackathons were designed to test the interpretation of these standards in real-world settings, assess conformity assessment methodologies, and identify areas for improvement. 

Key Insights from the Hackathons 

Held in Singapore (July 2024) and Málaga (October 2024), the hackathons brought together six TIC Council members’ laboratories—TÜV SÜD, DEKRA, UL Solutions, Bureau Veritas, TÜV Rheinland, and SGS—along with over 20 cybersecurity experts. The participants tested the security provisions of ETSI EN 303 645 using the OWASP IoT Goat, a deliberately insecure device designed for cybersecurity training. 

Some of the key takeaways from the White Paper include: 

  • Challenges in Interpreting Cybersecurity Standards: Variability in how laboratories applied certain provisions led to inconsistencies, highlighting the need for clearer guidance within ETSI EN 303 645 and TS 103 701. 
  • Difficulties in Completing IXIT/ICS Documentation: Manufacturers often struggle to provide complete and accurate information, leading to delays in cybersecurity evaluations. 
  • Testing Limitations Without Privileged Access: Some security provisions, such as secure boot verification, could not be fully assessed without access to privileged system settings. 
  • The Need for Standardised Reporting: A lack of a uniform evaluation report format resulted in inconsistencies in documentation across laboratories. 

Recommendations for a Stronger Cybersecurity Landscape 

The White Paper provides targeted recommendations for standardisation organisations, manufacturers, and conformity assessment bodies to improve the consistency and effectiveness of IoT cybersecurity testing. Key proposals include: 

  • Enhancing guidance within ETSI EN 303 645 to improve clarity in test case interpretations. 
  • Introducing a standardised evaluation report format to ensure consistency in cybersecurity assessments. 
  • Encouraging manufacturers to provide more comprehensive documentation and development samples with privileged access. 
  • Strengthening collaboration between TIC laboratories and regulators to refine conformity assessment methodologies. 

Read the Full White Paper 

The findings from the TIC Council cybersecurity hackathons underscore the critical role of independent testing, inspection, and certification in securing IoT devices. By addressing the challenges identified, the TIC sector can further strengthen cybersecurity standards and drive global consistency in product security evaluations. 

To explore the full insights and recommendations, read the White Paper here.

For more information, contact Ángel Moreno Rubio, Digital Policy Manager at TIC Council: amorenorubio@tic-council.org