Axis Communications has received a certification for conformance with the cybersecurity standard ETSI EN 303 645. The certification is valid for a wide range of Axis products running AXIS OS 11 or higher, and applies to more than 150 Axis devices today, as well as new ones to be launched. AXIS OS is the Linux-based operating system powering most Axis network products. The certification was issued by Underwriters Laboratories (UL TS B.V.) and was performed at one of UL’s testing facilities in the United States. Moving forward, Axis will regularly test and update this certification to maintain its validity for future products.
The ETSI EN 303 645 standard contains 68 provisions of technical requirements that set the cybersecurity baseline for connected devices. The requirements cover the devices themselves, including support for hardware-based security features like secure key storage, and default security features like HTTPS enabled and no default passwords. Another aspect involves lifecycle management, such as having a defined support period for device security updates. Others include having a methodology for reducing the risk of vulnerabilities in software development; having a transparent vulnerability management policy; and supporting best practices in the processing of personal data. These requirements take into consideration industry best practices that help ensure certified products have a minimum baseline security level throughout their lifecycle.
The standard is developed by the European Telecommunications Standards Institute (ETSI), which is an independent, non-profit, information and communications standardization organization. Although developed in Europe, ETSI EN 303 645 is relevant for global use and has wide applicability. The standard aligns closely with other cybersecurity-related standards, certifications, and legislations across industries and in the following countries/regions:
- European Union (EU Cybersecurity Resilience Act, EU Radio Equipment Directive)
- Finland (Finnish Cybersecurity Label)
- Germany (BSI – IT Security Label)
- United Kingdom (UK Product Security and Telecommunications Infrastructure Act & Code of Practice for Consumer IoT Security)
- United States (NIST IR 8425, Cyber Trust Mark)
- India (TEC Code of Practice for Securing Consumer Internet of Things)
- Vietnam (Cyber Information Security Requirements for Internet of things)
- Singapore (Cybersecurity Labelling Scheme)
- Australia (Code of Practice – Securing the Internet of Things for Consumers)
The standard is openly available on the ETSI website, free of charge.
Third-party certifications based on relevant open standards can be used to demonstrate conformance to or in anticipation of upcoming legislation. Cybersecurity, however, is about more than just certifications. To achieve higher levels of cybersecurity, it is necessary to go beyond standards. This is demonstrated by, among other things, Axis’ support for zero-trust networking, a bug bounty program and a device lifecycle approach to cybersecurity.
The IT industry, with its fast-changing business and security-driven innovations, usually advances faster than standards and certifications can keep up with. Therefore, standards and certifications must be seen as one of many elements that may be useful in certain situations. Focusing solely on certifications for checkbox purposes does not necessarily provide the desired customer value and may cause manufacturers to lag in technological innovation and progress.
