The growth of Connected Devices and the Internet of Things has brought with it an increased awareness of the importance of cyber security. Businesses and organisations have become used to protecting their IT infrastructure from malicious hackers, but connected devices are also vulnerable and present an equally viable platform from which to launch a wider cyber security attack. By their nature, these devices can be more difficult to protect, and in the consumer market there is a much lower awareness of the potential threats.

Attempts to address this fall broadly into three categories:

• Standards and Guidelines. Based on research and best practice, these define requirements and controls to ensure security, in physical devices and in development processes.
• Certification Schemes. These offer a way for manufacturers or suppliers of devices and products to demonstrate that their products meet a certain level of security, often with reference to one or more standards or sets of guidelines.
• Often the critical factor that persuades manufacturers to act, and get their products tested for security vulnerabilities. Legislation tends to mandate high level security measures but may identify certain Certification Schemes that can be used as evidence.

There is no shortage of standards and guidelines in this space. Most established standards bodies, and many commercial organisations, have released cyber security standards aimed at consumer IoT products over the last few years.

Relevant standards

Perhaps the most widely used and referenced of these is ETSI EN 303 645. First released in 2020, EN 303 645 is used as the baseline set of requirements in certification schemes globally. New standards in specific vertical applications, such as smart energy, often reference EN 303 645 to cover cyber security requirements. EN 303 645 regularly gets cited as a relevant standard in some legislation covering consumer IoT devices.

In the United States in 2020, the National Institute of Standards and Technology published NISTIR 8259A. Positioned as a ‘Cybersecurity Capability Core Baseline’ for IoT devices, and initially aimed at providing guidance for organisations developing, acquiring, or deploying IoT products, NISTIR 8259A has become widely referenced by in certification schemes and government-led cyber security work within the US, including consumer IoT.

Other standards covering connected devices include the Consumer Technology Association’s CTA-2088, the IoT Security Foundation’s IoT Security Assurance Framework, and the UL-2900 series from UL Solutions which also has specific coverage for medical devices.

Certification schemes

With a few exceptions, standards organisations have generally avoided offering certification schemes directly linked to their published standards. Instead, these schemes have generally come from the Test, Inspection and Certification (TIC) sector.

Resillion offers a Secure Connected Device assurance scheme, allowing IoT device manufacturers to get their products independently tested and certified against a range of standards, including those listed above. Similar schemes are available from other technology testing companies.

The IASME Foundation is active in the UK market, offering the IASME IoT Cyber Scheme alongside wider cyber security schemes such as Cyber Essentials and Cyber Essentials Plus.

Another industry body developing a certification scheme is the Connectivity Standards Alliance (CSA), the organisation behind Zigbee and the more recent Matter standards for device connectivity. With CSA members including many of the largest manufacturers of smart home equipment and connected devices such as Apple, Google and Amazon, the CSA scheme has the potential to be widely adopted, especially by manufacturers within the CSA and Matter ecosystem.

Certification success

The most successful labelling or certification schemes are always those that are backed by legislation or government incentives, or which can be used as evidence of conformance with regulatory requirements. Surprisingly, considering the potential risks posed, such government intervention has been a long time coming and is still relatively uncommon.

Among the leading administrations to introduce legislation were Singapore, with the Cybersecurity Labelling Scheme (CLS), and the states of Oregon and California, all in 2020. The Singapore CLS references the ETSI EN 303 645 standard and has different assurance levels which start with manufacturer self-declaration and go on to levels that require independent testing. In the absence of specific certification, legislation such as that in Oregon and California tends to specify certain basic requirements like no common default passwords, a means of reporting discovered vulnerabilities, and a process for updating firmware to address them.

In Europe, the Cyber Resilience Act will drive legislation in member states, eventually requiring that IoT devices meet certain cyber security requirements before they can be sold in European markets. For wireless devices, the EU Radio Equipment Directive (RED) has specific requirements around cyber security which will come into force in mid-2025 (postponed from 2024).

More recently, in 2023, the US Government via the FCC has announced the development of a ‘US Cyber Trust Mark’. This will be a voluntary labelling scheme for consumer IoT devices and aims to give consumers informed choice when purchasing connected devices, and confidence that their devices and personal information will be secure.

In the United Kingdom, the Product Security and Telecommunications Infrastructure Act 2022 (PSTI) was an important piece of legislation. This Act aims to protect buyers and users of IoT products, by giving the Secretary of State the power to require by law that such products meet certain cyber security requirements.

The definition of ‘connectable product’ in the PSTI Act is quite broad: more or less any digital product that can connect to the internet or to a network. The Act places obligations on manufacturers, but also on importers, distributors and retailers of relevant products to ensure that anything intended for sale in the UK market meets the requirements. Therefore any business in this supply chain needs to take steps to ensure that what they are selling is compliant, or risk some potentially substantial penalties.

What will we see in the future?

It’s likely that international standards organisations will eventually develop harmonised standards against which manufacturers will be able to certify, as evidence of meeting regulatory requirements. This is the likely path in Europe for the RED, with CEN-CENELEC (the European Committee for Standardization, and the European Electrotechnical Committee for Standardization) already charged with developing such a standard.

In the short to medium term however, the best way for a manufacturer to demonstrate their IoT products are secure is to leverage one of the existing commercially available schemes such as the IASME IoT Cyber Scheme or Resillion’s Secure Connected Device assurance. Even without any legislative or regulatory mandates, the business and reputational risks from a major cybersecurity incident traced to a manufacturer’s product make a compelling case for investing in security assessment and certification before each product release.