Huge growth in connected devices, Internet of Things, and home automation, is revolutionising our day-to-day lives. The positive impact on work, entertainment, convenience, and communications is substantial, but this also introduces concerns regarding security and privacy.
When deciding which connected devices to purchase, consumers and business buyers need clear information on the levels of security and privacy built into the device, provided by the device manufacturer. The Secure Connected Device Assurance Scheme from Resillion offers a way for device manufacturers to demonstrate their commitment to security and give confidence to their customers.
The scheme identifies devices that have undergone a thorough security assessment and testing process, giving a security rating appropriate for the type of device and its usage context. The Secure Connected Device scheme is applicable to all connected devices, from consumer wearables to industrial IoT and critical infrastructure.
The Secure Connected Device Assurance Scheme offers a way for device manufacturers to demonstrate their commitment to security and give confidence to end users. It is based on a combination of recognised, industry benchmarks for connected devices, highlighting key strengths and areas of improvement for your device.
How does it work?
As a manufacturer, work with Resillion to ensure your Secure Connected Device is in line with industry best practice.
After a pre-assessment of the device and how it will be used, we will agree a testing programme to match your target security level (we have four distinct levels), based on our own comprehensive set of technical and non-technical requirements.
Our requirements are all specified with reference to the following industry-wide standards and best-practice guidelines. A detailed mapping between our requirements and these standards is available on request. If you need to test against a specific standard, then we tailor the scope to cover that.
• ETSI 303 645 v2.1
• UL 2900-1
• OWASP IoT Top 10
• ENISA Baseline Security Recommendations for IoT
• The General Data Protection Regulation (GDPR)
• NISTIR 8259A
We will ask you to provide samples of the device for testing as well as other information including how your organisation handles updates to device firmware and discovery of vulnerabilities. Our device experts will use a range of tools and techniques to find security vulnerabilities in the device and, if necessary, advise you on mitigation actions to eliminate those vulnerabilities. We will also review your supporting processes if relevant.
We continually monitor developments in the cyber security world and regularly update the assurance scheme to address and include new and updated standards, and emerging threats. As with all security assessments, you should test your device annually to keep it in line with the latest industry changes. If you have a range of similar devices, we won’t necessarily need to test all variants separately.
Let us know about any derivative models and, providing they are closely related to the original model we are testing and equally conformant to the scheme, they can be assured without another engagement.
Which level of assurance is right for me?
We offer four levels of assurance: Bronze, Silver, Gold and Platinum.
- Tested to be conformant with most laws and regulations setting minimum security levels in different regions around the globe
- Any major exploitable high/critical risk issues will have been discovered and fixed
- Most appropriate for inexpensive consumer devices
- Tested to be conformant with all mandatory standard entries of the ETSI 303 645 standard
- The device takes mitigating actions to prevent vulnerabilities in the OWASP IoT top 10 categories and is conformant with most ENISA standard entries
- GDPR compliant
- Suitable for high-end consumer goods from device vendors that really want to show they are in control of security
- Tested to be conformant with almost every standard entry in recognised frameworks
- The device does not just follow best practices and correct configurations, but also properly sets-up defence in-depth measures, is resilient to physical attacks, and goes the extra mile to achieve a strong security level
- Designed for vendors who are very concerned about reputation loss or for whom security is an essential part of the product’s business case
- Tested to be conformant with every standard entry in all used frameworks
- Any attack surface has been thoroughly tested by trained and skilled penetration testers
- This level is designed for devices that have hardware-level security mechanisms that allow for confidential computing and prevent any type of access, even with direct hardware access
Why work with Resillion?
Users can be confident that the security of a device has been verified through rigorous testing process conducted by an independent, trusted third party.
Independent assurance is a visible indication of conformance making it easy to demonstrate secure and safe performance of the device.
Our detailed report and independent trusted assurance scheme can be used to prove that a device meets regulatory requirements – important as more and more legislation is passed.