One smart Beko fridge and its journey to become IoT Security Assured – A case study with Arçelik

Arcelik IASME Case Study

Last month, the connected Beko refrigerator (model number: K60366NE) became certified at silver level to the IASME IoT Security Assured Scheme.

Beko is the international home appliances brand of Arçelik. The smart fridges are made in Turkey and distributed all over the world. Arçelik is a multinational household appliances manufacturer, owned by Koç Holding which is one of the largest groups in Turkey and Europe, and the only Turkish company in Fortune Global 500.

Arçelik are pioneers of innovation, working towards the goal of leading the technology in their sector. They dedicate 1.5% of their total annual turnover to research and development (R&D) and employ over 2000 research latest trends in the area of Automotive Cybersecurity. Their high level of expertise in Internet of Things (IoT) cyber security is reflected in their 2018 award of IoT Security Champion from the IoT Security Foundation (IoTSF).

Arçelik follow IoT Cyber Security standards very closely and it was through their membership with the IoTSF that they heard about the IASME IoTArcelik Appliances Security Assured scheme. They came to the scheme in its first year of inception and having successfully certified their first product – the connected Beko refrigerator, they are now preparing with great enthusiasm to apply the code of practice regulations to all their product ranges. The experts at Arçelik are firm believers that built-in security should be central to design and every IoT device should satisfy the minimum recommended requirements. They are a great example of a connected device manufacturer that is committed to demonstrate their security compliance to their customers.

IASME developed the IoT Security Assured certification scheme to provide an accessible, achievable and high-quality way for manufacturers to demonstrate the security of their internet-connected devices and to show they are compliant with best-practice security. When the IoT Security Assured scheme badge is displayed on a device it will reassure the end user that their device has the most important security features included.

Following a successful pilot scheme that was supported by funding from the Department for Digital, Culture, Media and Sport, IASME launched the scheme in February 2021.

The IoT Security Assured scheme is aligned with the leading global technical standard in IoT security, ETSI’s EN 303 645, and with imminent UK IoT security legislation and guidance.

Within the IoT Security Assured scheme, there are three levels of security that a device can be certified to:

The Basic level is aligned with proposed UK legislation and covers the top three requirements of the ETSI standard.

The Silver level is aligned with the 13 ETSI mandatory requirements and Data protection provisions.

The Gold level is aligned with the 13 ETSI mandatory requirements as well as all the additional ETSI recommended requirements and Data protection provisions.

This year, the UK Government is introducing new legislation that sets a minimum bar for the security of consumer IoT devices.  The new legislation will specify three mandated security features which are aligned with the top three requirements of the European Technical Standard for IoT Security.

There is similar legislation in Turkey which also uses the ETSI EN303 645 as a reference for the national IoT security standards. In February 2022, the World Economic Forum’s related cyber security division invited Turkish National Bodies (TR-Test, Industry and Trade Ministry) to discuss Turkey’s IoT security standards. Arçelik who operate in over 100 countries and ensure that they are compliant with legislation in all their markets were present at that event. Turkey is looking to create mutual recognition with other countries that recognize IoT security standards, such as UK, Finland and Singapore.

 

We asked Çağatay Büyüktopçu, R&D Cyber Security Technology Manager at Arçelik about ensuring the security of their connected devices.

 

Çağatay, How did Arçelik ensure that its BEKO connected fridge met the requirements for the Security Assured scheme?

“We believe that if connectivity is central to the product, then security should be central too. The two key features which are update management and data collection are sensitively managed through embedded ‘Hardware Security Model’(HSM) into our products.

Six years ago, the IoT sector was attempting to manage security with digital software certificates, however, the same certificates were used for all connected products which meant that if you hacked one, you would be able to hack them all.

The ability to hide a unique private key in special hardware and then embed that HSM into your product is very important. That is why we made a significant investment in this technology. Embedding HSM into the product is not the end of it, however, we also had to find a way to embed the latest cryptographic algorithms in a very small resource concept microcontroller and create that clock algorithm to create an end-to-end channel. We spent almost two years working with Cerberus Laboratories, a UK based IoT security and design company, who helped us to create an embedded security infrastructure.

HomeWhiz is the app which is used to control the refrigerator. It plays an important role in the product security e.g it will alert the user when a new security update needs installing.”

What are some of the other challenges you are working on?

“We have various different product architectures, spanning from TVs, to bluetooth speakers, and Bluetooth tea makers and we would like to get the silver level IoT security assured certification for all of these product ranges. At Arçelik, we are unique in this field. We have a team in our R&D department that focuses on cyber security infrastructure of IoT household appliances devices, mobile applications and cloud services.”

“In order to fully address cloud security issues, we have created a partnership with Green Custard Ltd, an Amazon Web Services (AWS) Advanced Tier Services partner and cloud native professional services company.

With the help of Green Custard, we want to further improve our cloud security infrastructure. Many of today’s IoT cloud services are designed without enough consideration of cyber security and leave that topic mostly to providers. Since the number of cloud services for IoT devices will grow rapidly year on year, our infrastructure combines a security first approach with scalability and sustainability.”

What is your advice to manufacturers of IoT devices?

“Security is a mindset, and it will not be enough simply to change the device infrastructures. Processes and policies need to be created and followed by all the related internal stakeholders of the company and design, production, after sale and supply chain should all be taken into consideration.

IoT device manufacturers should not be competing with each other in terms of security. Our competitors are cybercriminal hackers in the field, so we should act all together to reduce the total risk.”

What’s next for Arçelik?

“Our objective is to make sure that all our product groups are compatible with national and international IoT security legislations.

We aim to achieve the Security Assured assessment for all our product groups at least at silver level, and further develop our approach to be compatible at gold level.

We have just sent a product assessment to IASME to be certified, so this is just the beginning I think.”
Arcelik Logo

For more information about Arçelik, visit their website here.

IoT Security Assured Logo

Find out more about the IoT Security Assured scheme here.