IoT Compliance Certification: Control is Better

The right security and privacy safeguards can help businesses realize the potential of IoT but how do companies know if their privacy and security safeguards are sufficient? IoT compliance certification can help as standards evolve.

the majority of US executives consulted by the accountancy firm PricewaterhouseCoopers (PwC) said their businesses already have one or more IoT projects in the works – but not without trepidation. The annual PwC 2019 IoT Survey shows that 48 percent worry about cybersecurity issues and 46 percent have privacy concerns, while 45 percent claim an uncertain regulatory environment has slowed or thwarted their IoT progress. It’s clear that decision makers need to feel they can have trust in IoT’s data being accurate and secure.

Can decision makers really trust in IoT solutions? As Lenin famously said, “Trust is good, but control is better.” To help organizations get a better understanding of IoT activity and security in the enterprise, the Threat LabZ research team from the security provider Zscaler analyzed IoT traffic across the Zscaler cloud during a one-month period.

The report, titled IoT in the Enterprise: An Analysis of Traffic and Threats, showed that the vast majority of IoT transactions were occurring over plain text channels, instead of using the encrypted Secure Sockets Layer (SSL) protocol. While a major security vulnerability, the use of unsecured channels is just one vulnerability within IoT devices.

Holistic Standards

“A major challenge in defining security measures for IoT is the entailed complexity that is brought by the diversity of application areas for IoT,” says ENISA, the European Union Agency for Cybersecurity. At the end of 2018, an ENISA analysis, called IoT Security Standards Gap Analysis, mapped existing standards against the requirements of security and privacy in IoT. Its conclusion was that there was no significant gap; every requirement could be met by existing standards.

Security standards may exist for many individual elements within IoT but it’s not just a collection of individual devices and services, it’s an ecosystem. In addition, IoT’s high scalability and other features call for a more flexible approach, says ENISA. The real gap in IoT security standards stems from the fact that the ecosystem is not treated holistically. The current situation means that it’s possible to introduce a device that can authenticate its user, can encrypt and decrypt data transmit-ted and received, and can therefore provide proof of its integrity, yet it still remains unsecure as part of the wider IoT ecosystem. ENISA points out that elements of a holistic approach toward IoT security can be found in some series of standards, but further work in standardization is needed to achieve an overarching approach that protects the entire ecosystem.

The overall purpose of IoT standards is to provide interoperability and to instill confidence. To satisfy both, standards should be used when developing technical specifications for all products that also provide a framework for the security evaluation of complete systems.

Both are needed for a successful IoT, for reliable functionality, and for trust in IoT. Certification schemes are particularly needed because they in-crease consumer trust and open up new business opportunities.

Certification Is Evolving but More Work is Needed

Cybersecurity and privacy certifications require the formal evaluation of products, services, and processes against a defined set of criteria and standards by an independent and accredited body, and the issuing of a certificate indicating conformance.

There are already several cybersecurity and privacy certifications for IoT standards and frameworks but there is still a need for international harmonization. Only when that is achieved will the needed trust in IoT be won internationally on a broad scale. To be prepared, it helps to examine examples which point the way toward more holistic approaches for certification.

The Internet Society’s IoT Trust Framework

• Core requirements

The Internet Society’s IoT Trust Framework identifies the core requirements manufacturers, service providers, distributors and purchasers, and policy makers need to understand, assess, and embrace for effective security and privacy. It covers security, privacy, and long-term sustainability (life cycle) issues and it holistically addresses the ecosystem. This includes devices and sensors, mobile apps, and backend services. Most frameworks focus on just the devices but a system is only as strong as its weakest link, says the Internet Society.

The Internet Society is a global, cause-driven organization, governed by a diverse board of trustees, dedicated to ensuring that the Internet stays open, transparent, and defined by the users.

Visit www.internetsociety.org for more information.

The ETSI TS 103 645 Standard

•  Security Baseline

The ETSI Technical Committee on Cybersecurity released ETSI TS 103 645, a standard for cybersecurity in IoT, to establish a security baseline for Internet-connected consumer products and to provide a basis for future IoT certification schemes. As more devices in the home are being hooked up to the Internet, cybersecurity is becoming a growing concern. People entrust their personal data to an increasing number of connected devices and online services. In addition, everyday products and appliances are now coming online and need to be designed to withstand cyber threats. Poorly secured products threaten consumer privacy and some devices are exploited to launch large-scale DDoS cyberattacks. ETSI’s new specification addresses this issue and specifies high-level provisions for the security of Internet-connected consumer devices and their associated services. IoT products in scope include connected children’s toys and baby monitors; connected safety-relevant products, such as smoke detectors and door locks; smart cameras; TVs and speakers; wearable health trackers; connected home automation and alarm systems; and connected appliances, including washing machines and fridges.

Visit www.etsi.org for more information.

GSMA IoT Security Guidelines

•  Flexible Framework

The GSMA IoT Security Assessment provides a flexible framework that addresses the diversity of the IoT market, enabling companies to build secure IoT devices and solutions. The requirements are laid out in the organization’s IoT Security Guidelines, a comprehensive set of best practices which promote the secure end-to-end design, development, and deployment of IoT solutions.Building on the expertise of the mobile industry, the security assessment scheme ensures “security by design” and enables companies to identify and mitigate any potential security gaps in their services, allowing the market to scale to its full potential, according to the GSMA.

A number of security labs are offering the IoT Security Assessment as a personal service, providing IoT security capability to a wide range of companies that require unbiased third-party certification. These services can also help companies without the necessary resources or expertise to complete an assessment and test their IoT solutions to ensure end-to-end security.

• GSMA represents the interests of mobile operators worldwide, uniting more than 750 operators with almost 400 companies in the broader mobile ecosystem.

Visit www.gsma.com for more information.

IoT Security Framework from the IoT Security Foundation

• Testing Guide

As a member of the IoT Security Foundation, Dutch consultancy Secura offers an assessment of IoT products’ security compliance. Secura bases its evaluations on the internationally recognized framework from the IOT Security Foundation but, as an active standards-development member of other recognized cyber-security organizations, it complements this with other schemas. These include the Internet Society’s Online Trust Alliance’s IoT Frame work, the GSMA IoT Guidelines and Assessment, and the OWASP Foundation IoT Project Testing Guide. After each evaluation, Secura collates the results into an Assurance Report, which complies with internationally recognized assurance standards, such as ISAE 3000.

• Secura is an independent, specialized advisor, providing security advice, testing, training, and certification services.

Visit www.iotsecurityfoundation.org for more information.

CTIA IoT Cybersecurity Certification Test Plan

• Levels of Sophistication

CTIA manages a cybersecurity certification program for IoT devices, establishing an industry baseline for device security on wireless networks. The IoT Cybersecurity Certification Test Plan supports a variety of implementations and levels of device sophistication.

The program is designed to improve security for connected devices. It helps to protect consumers and wireless infrastructure while creating a more secure foundation for smart cities, connected cars, mobile health (mHealth), and other IoT applications, in addition to encouraging growth in the IoT marketplace. The creation of an IoT security baseline also addresses a growing global concern over potential cybersecurity issues and policy implications related to IoT. While the certification covers a wide range of require-ments, CTIA’s clients can also receive assistance with additional specifications and tests to satisfy their specific security requirements.

• CTIA is a trade association representing the US wireless communications industry.

Visit www.ctia.org for more information.

BSI Assurance Service for IoT Connected Devices

• Comprehensive Assurance

The British Standards Institution (BSI) provides a comprehensive assurance service for IoT connected devices. It applies some of the latest best practices, including the ETSI (European Telecommunications Standards Institute) technical specification for consumer IoT security, ETSI TS 103 645. This builds on the UK government’s Code of Practice for IoT Security and the Future, which addresses the cybersecurity of consumer IoT devices.

• BSI is a global service provider for standards develop-ment, training, auditing, and certification.

Visit www.bsigroup.com for more information.

TÜV Rheinland Protected Privacy Certification

• Network Evaluation

TÜV Rheinland has developed its Protected Privacy certification in-house. The data protection and information security test program focuses on hardware and firmware, and how they communicate with the outside world.

The set of audits examine both important formal data protection and the implementation of technical and organizational measures to protect personal data. This includes, for example, evaluation of the network architecture, the service, and access management.

On passing the tests, product owners receive a certificate which can be shown to customers to demonstrate that the service satisfies the requirements of TÜV Rheinland and provides protection for the customers’ personal data.

• TÜV Rheinland AG is an international, inde-pendent testing service provider based in Cologne, Germany.

Visit www.tuv.com for more information.

Eurosmart IoT Certification Scheme

• Security by Design

Eurosmart devised the first IoT certification scheme based on the requirements of the EU Cybersecurity Act. Eurosmart describes the scheme as follows: “The scope of the Eurosmart IoT Security Certification Scheme (Eurosmart, 2019) is the ‘IoT device’ with a focus on the substantial security assurance level as defined by the Cybersecurity Act”.

The certification aims to minimize the risks of successful attacks that commonly take advantage of poor design in IoT devices. which can have severe consequences. It is vital that IoT devices have security designed in and verified from the outset. Low-end IoT devices, in particular, may have security features constrained by cost, processing power, size, or power source. Eurosmart’s certification scheme considers the trade-off between such constraints, the risks, and the cost of certification.

• Eurosmart is a digital security trade association which advocates a strong and comprehensive approach to strengthen cyber resilience. Eurosmart funded the first European ethical hacking group on hardware devices.

Visit www.eurosmart.com for more information.

TÜV Trust IT Test Catalog for Evaluation of IoT Devices

• Independent Evaluation

TÜV Trust IT and the German Research Center for Artificial Intelligence have developed a test catalog that allows for an independent and objective evaluation of IoT devices. After passing the assessment and certification process, the product owner can use the test and quality seal: TÜV Trust IT: Trusted IoT Device.

• TÜV Trust IT, part of TÜV Austria Group, is dedicated to the identification and assessment of IT risks, and certification.

Visit www.it-tuv.com for more information.

READ MORE ARTICLES