Connectivity Standards Alliance Meets Device Security Challenges
COMMENTARY
Since the discovery of the Mirai Botnet in 2016, governments, enterprises, and consumers have seen the impact of insecure Internet of Things (IoT) devices.
It has become commonplace for numerous Internet-connected consumer devices, such as smart home security cameras and home routers, to be in use with unchanged default usernames and passwords, allowing attackers to take control and turn them into a network of “zombie” devices. Together, they create a botnet of compromised devices, used in large-scale network attacks, impacting the availability of many websites, Internet-driven services, and network availability.
While it may seem like common sense to avoid using default usernames and passwords, many IoT devices do not have adequate security protection, even at the most basic level. Following Mirai, a remarkable amount of work has been performed by standards bodies, industry groups, and governments to ensure new IoT devices placed on the market have a baseline of security by design.
Still, insecure IoT can also impact the individual consumer. It is not clear to consumers whether their devices are secure, have been protected, or will be protected. Certification, verification, standards, and regulation seek to make devices more secure and empower consumers to make informed purchasing decisions.
In an effort to change that, on March 19, the Connectivity Standards Alliance Product Security Working Group (PSWG) released its Internet of Things Device Security Specification 1.0, as well as an accompanying certification program and Product Security Verified Mark for compliant products.
The work aims to establish a unified IoT device security standard, alleviating the challenge for manufacturers to certify their devices and comply with international requirements, as well as inform consumers in regard to devices that meet this set of security requirements. The Connectivity Standards Alliance (CSA) has factored in the existing requirements from international standards, including the European Telecommunications Standards Institute (ETSI) and the National Institute of Standards and Technology (NIST), as well as current regulations, when creating the specification.
Secure by Design Baseline
Security by design calls for device manufacturers to consider and implement security from the early stages of device design and manufacturing, instead of as an afterthought. Three key existing standards have defined the security baseline requirements:
-
ETSI EN 303 645, “Cybersecurity for Consumer Internet of Things: Baseline Requirements” — ETSI is Europe-based, but is widely used across geographies.
-
NIST IR 8425, “Profile of the IoT Core Baseline for Consumer IoT Products” — Published as part of the National Institute of Standards and Technology’s response to White House Executive Order 14028.
-
ISO/IEC 27402:2023 — Published most recently by the international, non-government organization, entitled “Cybersecurity — IoT security and privacy — Device baseline requirements.”
Governments have adopted these standards to varying degrees in their guidance and legislation (planned or implemented). Largely, across regions, the three requirements of no default passwords, transparency on security updates, and clear vulnerability disclosure create the minimum baseline.
While this acceleration and focus on device security is positive, there remain a number of issues in solving the problem:
-
While some government requirements overlap, there is no unified regulation — the picture is fragmented.
-
Likewise, there are multiple standards, with no clear route for manufacturers to follow if selling into multiple markets.
-
Most of the industry guidance is voluntary, with only the UK government and Singapore with mandatory requirements, some yet to be enforced.
In addition, consumers are looking to manufacturers for information that their devices are secure. Omdia’s survey asked, “How do you know how secure your devices are,” and the most commonly cited source (68%) was information from the manufacturer.
Source: Omdia, Consumer IoT Device Cybersecurity Standards, Policies, and Certification Schemes, sponsored by Connectivity Standards Alliance
At this point in time, without mandatory requirements or widespread use of independently verified security testing and requirements, there is no clear way for consumers to access this information from manufacturers or verify its accuracy.
The CSA intends to change that with its new standard. Notably, it recognizes the work already done and standards previously established — the effort combined requirements from the above security baselines, as well as Singaporean and European guidance, into one single specification and certification program.
IoT Device Security Specification 1.0 Requirements
Manufacturers of IoT devices (including light bulbs, switches, smart doorbells, thermostats, and more) who choose to adhere to the specification must meet a number of device security provisions. They must demonstrate compliance with these, supplying justification and evidence to an authorized testing lab that crucially has expertise and experience in security evaluation and certification.
Some key requirements in the specification include:
-
Secure storage of sensitive data on the device
-
Secure communications of security-relevant information
-
Secure software updates throughout support period
-
Secure development, and vulnerability management
-
Public documentation regarding security, as well as the support period
Transparency for Consumers
In addition to requirements that involve transparency — such as publicly documenting support periods — the specification comes alongside the Product Security Verified Mark. This product branding provides confirmation to buyers that a product has met the specification’s security requirements and helps them to make informed purchasing decisions. More information will be accessible to consumers, by one or a combination of printed URL, hyperlink, or QR code.
Omdia Analysis: Efforts From Across the Industry Will Be Key for Adoption
As a voluntary scheme, there is, of course, the question of how adoption will play out. Looking to government guidance, many voluntary requirements and frameworks published have not had the desired adoption — resulting in legislation and regulation passed and being planned in many regions.
That said, CSA’s scheme looks to tackle many of the issues surrounding fragmentation — making things easier and alleviating pressure on manufacturers as this regulation comes into force. In addition, existing schemes have been acknowledged — as an example, Singapore’s label and CSA’s mark will be mutually recognized, meaning certification activities for manufacturers can be significantly more cost effective.
Looking to device manufacturers and industry, manufacturers must see the value of implementing secure by design requirements and certification. Not only does certification help get ahead of and alleviate the pressure of upcoming mandatory requirements, but consumers are more likely to purchase secure devices.
Omdia’s survey of 400 consumers suggests that nearly all consumers were more likely to purchase a device with privacy and security labelling, with the majority (81%) preferring a reference URL or QR code to give them more information on privacy and security.
Source: Omdia, Consumer IoT Device Cybersecurity Standards, Policies, and Certification Schemes, sponsored by Connectivity Standards Alliance
The Connectivity Standards Alliance has nearly 200 member companies that have collaborated in the development and validation of the final specification. This includes large industry players such as Amazon, Arm, Comcast, Google, Infineon, NXP, Schneider Electric, Signify, and Silicon Labs. Industry will have a key part to play in driving product security forward, and the support from its member companies bodes well for adoption of the CSA’s program.
Crucially, botnets such as Mirai are not gone. There continue to be variants to this day, as well as devices sold that still do not have adequate protection. Efforts to improve IoT security remain a top priority for the cybersecurity industry, and efforts such as the CSA’s standard and certification serve as critical baselines in support of those efforts.
Read Omdia’s “Consumer IoT Device Cybersecurity Standards, Policies, and Certification Schemes” report.