Category Archives: Blog Post


IoT device security to become part of CE marking by 2024

November 3, 2021
, , , ,
No Comments

The security and safety of wireless IoT devices took another step towards becoming part of EU CE compliance last Friday. The EU Commission announced its adoption of the delegated act to the Radio Equipment Directive

As a result, this act will create legal requirements for the security of wireless IoT devices. This change to the Radio Equipment Directive has significant implications for the CE marking of wireless IoT devices.

In simple terms this will make certain cyber security measures mandatory as part of wireless IoT device CE compliance and marking. This is the route that Craig Ormerod from TUV SUD and I suggested that the EU might be expected to follow, in our presentation at the IoTSF’s 23rd Plenary back in 2019. The key requirement is that there are safeguards in the IoT device to protect the users’ personal data and privacy, along with fraud prevention measures.

Demonstrating compliance and Standards

Demonstrating compliance is normally done against standards, in some cases market specific ones. The Commission is asking the European Standardisation Organisations to develop relevant standards. However, there are some existing standards that are likely to be appliable:

In the Consumer market some or all of the 13 controls in the ETSI standard EN 303 645 ” CYBER; Cyber Security for Consumer Internet of Things: Baseline Requirements ” [1] are likely to mandated. Associated with this ETSI Consumer cybersecurity standard is it’s partner test standard EN 103 701 “CYBER;  Cyber Security for Consumer Internet of Things:  Conformance Assessment of Baseline Requirements” [2].

For the Industrial sector a likely standards family which could be used to to demonstrate compliance would be EN IEC 62443 “Security for industrial automation and control systems” [3].

Where there are no standards for a specific sector then it will be necessary to seek the opinion of a Notified Body, as to whether the security mitigations are sufficent to ensure the product is compliant. Hopefully this lack of standards situation will not last to long. Ahead of standards, there are also other sources of support for demonstrating security compliance. A a good example being the IoTSF’s Assurance Framework [4], of which Xitex’s Richard Marshall was a lead author.

Compliance methods will be the same as the existing compliance approach with the Radio Equipment Directive, either through self assessment or independent third party assessment.


Unless the EU Council and Parliament raise no objections, the delegated act will come into force after a two month scrutiny period. Once the act comes into force, manufacturers will have a 30 months to make their products compliant, i.e. by mid 2024. In conclusion, with typical product development lifecycles being between 12 to 24 months, their security requirements need to be considered now for new and existing products.

Richard Marshall is Director and Managing partner at Xitex

Other useful related links:

[1] ETSI Standard ETSI 303 645 ” CYBER; Cyber Security for Consumer Internet of Things: Baseline Requirements”

[2] ETSI Standard ETSI TS 103 701 ” CYBER; Cyber Security for Consumer Internet of Things:  Conformance Assessment of Baseline Requirements”

[3] EN IEC 62443 Standard “Security for industrial automation and control systems”

[4] IoTSF “Assurance Framework” 3.0

Xitex IoT Security and regulation blog post:

Further information

If you have specific queries around IoT device security please contact us at:

Image courtesy of

IoT Hardware from Prototype to Production

DigiCatapult, Xitex, Arrow, SonyUKTEC & Microsoft have detailed the entire process of IoT hardware new production introduction

March 15, 2020
, , , , , ,
No Comments

The internet of things represents one of the biggest current business opportunities, as it underpins the digitisation of our economy, a transition towards what is hailed as the fourth industrial revolution. Digital Catapult, Xitex, Microsoft & Arrow recently published a guide ” “IoT Hardware from Prototype to Production Guide” for #startups and #scaleups.

Xitex is delighted to have been the lead author in the project in conjunction with the @DigiCatapult.

About the IoT Hardware from Prototype to Production Guide

Taking wireless IoT based products into production involves a variety of challenges. This paper is intended to provide guidance to navigate the entire process of IoT hardware production from the building of a basic prototype up to production at volume and end of product life. For each of these hardware manufacturing stages, the report highlights important considerations such as where to focus energy and provides a clearer understanding of the expectations that design and manufacturing partners may have, so an engagement with these can become more successful.

Target Audience

Digital Catapult’s IoT hardware from prototype to production guide is designed for UK entrepreneurs, startups and scaleups who are keen to launch hardware based IoT products and services.

Link to guide, which opens in a new tab can be found here:

Other resources and whitepapers on IoT development and security can be found at

Being Regulation Ready for IoT Products

November 26, 2018
Natalie Bourke
No Comments

The development of the Internet of Things (IoT) has opened up opportunities across society and business, yet with this comes new security concerns and cyber threats. These can range from small inconveniences to serious privacy threats which could have drastic consequences. Typically there is an assumption that IoT products and services are largely unregulated and await specific regulations, when in fact regulations which affect IoT security do already exist with sanctions applicable to IoT providers. However as these are reliant on existing laws, which were not specifically written for the IoT market, often there is a lack of awareness of such legislation and how it may affect IoT products. This is coupled with some of the gaps in existing legislation, which usually only come to light when something goes wrong and the gaps become evident.

The Internet of Things Security Foundation (IoTSF) reminds us that “Security is not a destination, it is a journey”.

The IoTSF’s new report, “IoT Cybersecurity: Regulation Ready” is targeted at enterprises that produce or use IoT systems. With a security-focused mindset, it is intended to give IoT users and service providers a view of the current regulatory landscape and indications of the direction of some of the impending regulatory changes.

The report highlights existing legal regulations and sanctions – which vary globally – as well as highlighting already available resources and tools that can help businesses be ‘regulation ready’.

This report is an important part of the IoTSF’s Compliance activities, of which Richard Marshall, Managing Consultant at Xitex, is delighted to be leading in his role as Plenary Chair for the IoTSF.

The report is available in two versions and is free to download. A ‘concise version’ and a more detailed ‘full version’ for those who need greater depth. Both copies can be found on the Internet of Things Security Foundation’s Best Practice Guidelines webpage. 

Considering IoT Security at Home

November 21, 2018
Natalie Bourke
No Comments

It is becoming increasingly common to find a significant number of connected devices in your home; be it simply a wireless router, a fitness tracker or perhaps a smart central heating device to name a few. The number of IoT products and devices on the market is expanding at a rapid pace and with this comes a growing fear of cyber attacks and the potential for privacy invasion.

The burgeoning number of insecure Internet connected products was the key reasons why the The Internet of Things Security Foundation (IoTSF) was founded in 2015.

How do Normal Consumers at Home Manage IoT Security Threats with Ease?

Richard Marshall, Managing Consultant at Xitex Ltd and Plenary Chair to the IoTSF, recognises that “In the home environment, security needs to be managed with minimal consumer intervention and without the consumer having any specialist knowledge of security of IoT devices.”

John Moor, the IoTSF’s Managing Director, points out that, “Security is not static, it requires a series of on-going process that need to be managed over the combined life-cycles of the combined system elements – this includes services, devices and networks.”

Due to the diverse use of proprietary interfaces, it is not practical or realistic that the “plug-and-play consumer” will be able to enforce baseline security.

The IoTSF’s Newly Published Whitepaper suggests putting Security Responsibility onto Router Manufacturers and the Original Equipment Manufacturers (OEMs).

The document supplies much needed advice on the benefits of taking a hub-based approach, when connecting IoT devices and systems at home.
The hub-based approach is ideal for a “plug-and-play consumer” to ensure products and systems work together seamlessly. Yet it can also help the user avoid cyber security risks and data protection issues.

Xitex Ltd is proud to have made a significant contribution to the final version of the document. The document is intended for OEMs who are designing devices or smart hubs, Service Providers/Retailers and other Solution Providers for IoT products. To download the whitepaper please visit the IoTSF’s best practice guidelines.

For more information please see the article published on the IoTSF website.

Presenting at IoTBuild 2018

November 4, 2018
No Comments

The IoT Stack and Ecosystem Event covering Architecture, Connectivity, Security & Edge

IoT Build 2018 Invitation

Recognised as the UK’s leading event for IoT adopters, IoTBuild 2018 opens itself up to over 1000 executive level attendees. Attendees will gain access to 2 x conference tracks; 2 x technical theatres; consultancy clinics; start-up showcase, and the exhibition. In addition the event is an opportunity to meet and network with a pre-qualified audience of trusted advisors, solution vendors and those eager to learn. In it’s third year of running, IoTBuild 2018 is bigger and better than ever before.

We are proud to announce that Richard Marshall, Plenary Group Chair, IoT Security Foundation, will be speaking at IoTBuild 2018.

So we are pleased to offer you a complimentary Expo Ticket to join us this November. Your Expo Ticket will give you access to industry case studies in the Connectivity and Security theatre, entrance to the consultancy clinic, 1-2-1 meetings, exhibition and drinks reception.

To RSVP Your IoTBuild 2018 Expo ticket, please click this link!

Xitex at the Verification Futures 2016 Conference

February 3, 2016
No Comments

Xitex is pleased to announce that they will be presenting at the Verification Futures 2016 Conference on the 4th February 2016.

Organised by TVS, Verification Futures 2016 is a one day conference, exhibition and industry networking event to discuss the challenges faced in hardware verification. The day will host a fantastic opportunity to network with other verification engineers across Europe. As well as this, the event will offer an opportunity for end users to explain their current and present verification challenges, to collaborate with vendors and find solutions together.

Xitex’s presentation at Verifications Futures 2016 will be on Security Standards and Architecture Considerations for Secure Hardware Design and Verification.

Richard Marshall, Managing Consultant at Xitex ltd, will be presenting in at the event. His focus will be in consideration of the foundations of secure products. He will particularly discuss the need for true random number sources for nonce and key generation, as well as product compliance with standards such as FIPS 140-2 and 186-4. Where a larger number of customers must be considered – for example the mobile network operators mandating standards compliance – he will go on to consider what independent tests are available to demonstrate standards compliance. Consideration will also be given to some of the architectural security verification challenges and Richard will go on to look at a brief case study on secure hardware for 3G/4G Small cells.

Further information about the Verification Futures Conference 2016 can be found on their website at Verification Futures Europe 2016

How VW Might have Fixed their Emissions Problem

October 12, 2015
No Comments

How VW Might Have Fixed their Emission Problem

The recent publicity that surrounds the VW diesel emissions scandal only just begins to highlight the security challenges that IoT users and producers must consider today.

Using the VW diesel emissions scandal as a case study, Xitex’s founder Richard Marshall has written a blog post for the IoT Security Foundation on the importance of being able to remotely patch product firmware. His writing particularly looks at how VW might have reduced the impact of their diesel car emission problem if they had been able to remotely update the ECU firmware.

The full blog post can be found on their website: at: How VW Might Have Fixed their Emission Problem.

Layout mode
Predefined Skins
Custom Colors
Choose your skin color
Patterns Background
Images Background