\u201cIt\u2019s a huge step forward to have a global consumer IoT security certification. It\u2019s so much better than not having one,\u201d Steve Hanna, Infineon<\/p>\n<\/div>\n<\/div>\n
\n
\u201cResearch continually shows that consumers rate security as an important device purchase driver, but they don\u2019t know what to look for from a security perspective to make an informed purchase decision,\u201d Eugene Liderman, director of mobile security strategy at Google, tells The Verge<\/em>. \u201cPrograms like this will give consumers a simple, easily identifiable indicator to look for.\u201d<\/p>\n<\/div>\n\n
Liderman is part of the CSA working group that defined the 1.0 spec for the program, which <\/em>has been developed by over 200 member companies of the CSA. These include (along with Google) Amazon, Comcast, Signify (Philips Hue), and several chipmakers such as Arm, Infineon, and NXP. <\/p>\n<\/div>\n\n
According to Tobin Richardson, CEO of the CSA, products carrying the PSV Mark could start to appear as soon as this holiday shopping season.\u00a0\u00a0<\/p>\n<\/div>\n
\n
\n
The CSA\u2019s new product security verification mark. <\/em><\/figcaption>Image: CSA<\/cite><\/p>\n<\/div>\n<\/div>\nOne cybersecurity mark to rule them all<\/h3>\n<\/p>\n\n
The CSA\u2019s announcement on March 18th follows last week\u2019s news that the FCC has approved implementing its new cybersecurity labeling program for consumer IoT devices in the US. Both programs are voluntary, and the CSA\u2019s label doesn\u2019t compete with the US Cyber Trust Mark. Instead, it goes a step further, taking all of the US requirements and adding cybersecurity baselines from similar programs in Singapore and Europe. The end result is a single specification and certification program that can work across multiple countries (see sidebar).\u00a0<\/p>\n<\/div>\n
\n
\n
The CSA\u2019s IoT cybersecurity standards requirements<\/h3>\n<\/p>\n\n
The following IoT device cybersecurity standards and regulations are the core requirements of the standard the CSA\u2019s specification and certification program for its Product Security Verified Mark:<\/p>\n<\/div>\n
\n
\n- US NIST requirements \u2013 NIST 8259, MIST IR 8425, NIST SP 800-213, and various laws<\/li>\n
- EU ETSI requirements \u2013 such as IEC 62443 & ETSI EN 303 645<\/li>\n
- Cyber Security Agency Singapore IoT labeling scheme<\/li>\n<\/ul>\n<\/div>\n
\n
According to Tobin Richardson of the CSA, this is a comprehensive set of requirements that should cover most, if not all, of other government requirements. However, the spec can be updated with any additional requirements as more countries participate.\u00a0<\/p>\n<\/div>\n<\/div>\n<\/div>\n
\n
Richardson says the goal is for the CSA\u2019s PSV Mark to be recognized by governments, so manufacturers can go through just one certification process to sell in all the major markets. This could reduce cost and complexity for manufacturers and potentially bring more choice to consumers.\u00a0<\/p>\n<\/div>\n
\n
The PSV Mark has been recognized by the Cyber Security Agency of Singapore, and the CSA says it is working on mutual recognition with similar programs in the US, EU, and the UK. \u201cIt\u2019s very likely, and with some [countries], it\u2019s a certainty,\u201d says Richardson. \u201cIt\u2019s mainly a matter of tying up some paperwork.\u201d<\/p>\n<\/div>\n
\n
To get the PSV Mark, devices must comply with the IoT Device Security Specification 1.0 and go through a certification program that involves answering a questionnaire and providing accompanying evidence to an authorized test laboratory. Highlights of the requirements include:<\/p>\n<\/div>\n
\n
\n- Unique identity for each IoT Device<\/li>\n
- No hardcoded default passwords<\/li>\n
- Secure storage of sensitive data on the device<\/li>\n
- Secure communications of security-relevant information<\/li>\n
- Secure software updates throughout the support period<\/li>\n
- Secure development process, including vulnerability management<\/li>\n
- Public documentation regarding security, including the support period<\/li>\n<\/ul>\n<\/div>\n
\n
According to the CSA, the voluntary program applies to most connected smart home devices \u2014 including lightbulbs, switches, thermostats, and security cameras \u2014 and can be applied retroactively to products in the market. Along with the PSV Mark, \u201cA printed URL, hyperlink, or QR code on the mark gives consumers access to more information about the device\u2019s security features,\u201d the CSA says in its press release.<\/p>\n<\/div>\n
\n
The program is focused specifically on device security \u2014 making sure the physical device itself can\u2019t be accessed \u2014 rather than privacy. \u201cBut there is a close linkage in that you can\u2019t have privacy without security,\u201d says Richardson. While security impacts privacy, this program doesn\u2019t offer many requirements around how a manufacturer uses the data a device collects. The CSA has a separate Data Privacy Working Group dealing with that can of worms.\u00a0\u00a0<\/p>\n<\/div>\n
Better security, but still not perfect<\/h3>\n<\/p>\n\n
The current iteration of the program isn\u2019t a silver bullet to solve IoT device security concerns. Steve Hanna of Infineon Technologies, a 25-year cybersecurity researcher and chair of the CSA working group for the program, told The Verge<\/em> there\u2019s still more he\u2019d like to see incorporated. \u201cBut we have to crawl, walk, and then run,\u201d he says. \u201cIt\u2019s a huge step forward to have a global consumer IoT security certification. It\u2019s so much better than not having one.\u201d<\/p>\n<\/div>\n\n
Google\u2019s Liderman also points out that meeting the minimum security standard doesn\u2019t guarantee a device is vulnerability-free. \u201cWe greatly believe that the industry needs to raise the bar over time, especially for sensitive product categories,\u201d he says.<\/p>\n<\/div>\n
\n
The CSA plans to keep the specification updated, requiring companies to recertify at least every three years. Additionally, Richardson says there will be a requirement for an incident response process, so if a company encounters a security issue \u2014 such as Wyze\u2019s recent problems \u2014 it must fix those before it can be recertified.\u00a0<\/p>\n<\/div>\n
\n
\n
An API could allow a smart home platform app to alert you to a device\u2019s security status before it can join your network<\/p>\n<\/div>\n<\/div>\n
\n
To address concerns about misuse of the label, Hanna says the CSA will have a database of all certified products on its website so you can cross-check a company\u2019s claims. He also says there are plans to make the information available in an API, which could allow your smart home platform app to alert you to a device\u2019s security status before it can join your network. <\/p>\n<\/div>\n
\n
Hanna cautions against setting expectations too high. \u201cSome companies are excited about it to recognize the work they have already done, but we shouldn\u2019t expect every product to have this,\u201d he says. Some may find they have problems that mean they can\u2019t get certified, he says. \u201cIf or when these become required by governments, that\u2019s where the rubber hits the road.\u201d<\/p>\n<\/div>\n
\n
A voluntary program may seem like a finger in the dam, but it does solve two basic problems. For manufacturers, it makes it simpler to comply with regulations from multiple countries in one step, while for consumers, it opens an avenue to information about what type of security practices a company adheres to. <\/p>\n<\/div>\n
\n
\u201cWithout a label or a mark, it can be difficult as a consumer to make a purchasing decision based on security,\u201d says Hollie Hennessy, an IoT cybersecurity expert at tech analyst firm Omdia. While the program being voluntary could be a barrier to adoption, Hennessy says her firm\u2019s research indicates people are more likely to purchase a device with privacy and security labeling.<\/p>\n<\/div>\n
\n
Ultimately, Hennessy believes that a combination of standards and certifications like this, along with regulations and legislationis needed to solve consumer concerns about privacy and security in connected devices. But this move is a big step in the right direction.<\/p>\n<\/div>\n<\/div>\n[ad_2]\n","protected":false},"excerpt":{"rendered":"
[ad_1] As useful as connected devices like video doorbells and smart lights are, it\u2019s wise to exercise caution when using connected tech in your home, especially after years of reading about security camera hacks, fridge botnet attacks, and smart stoves turning themselves on. But until now, there hasn\u2019t been an easy way to assess a …<\/p>\n","protected":false},"author":1,"featured_media":32409,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"_links":{"self":[{"href":"https:\/\/farratanews.online\/wp-json\/wp\/v2\/posts\/32408"}],"collection":[{"href":"https:\/\/farratanews.online\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/farratanews.online\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/farratanews.online\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/farratanews.online\/wp-json\/wp\/v2\/comments?post=32408"}],"version-history":[{"count":0,"href":"https:\/\/farratanews.online\/wp-json\/wp\/v2\/posts\/32408\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/farratanews.online\/wp-json\/wp\/v2\/media\/32409"}],"wp:attachment":[{"href":"https:\/\/farratanews.online\/wp-json\/wp\/v2\/media?parent=32408"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/farratanews.online\/wp-json\/wp\/v2\/categories?post=32408"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/farratanews.online\/wp-json\/wp\/v2\/tags?post=32408"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}