Demonstrating security due diligence
Connected devices can provide comfort, convenience and enhance the life of the user. However, more connectivity also leads to increased security risks to the user, wider network environments and services. Smart consumer devices will increasingly be connected and introduced into home networks. Moreover, in order to ensure optimal operation, connected devices will require users to share personal data creating privacy risks. In an effort to mitigate the risks posed to consumer IoT devices, the burden has been placed upon manufacturers to equip consumer IoT devices with “reasonable” security measures.
Security of consumer IoT devices has also steadily gained attention from regulators. In 2020, California and Oregon will welcome the first legally binding regulations for consumer IoT. The California and Oregon Bills oblige manufacturers to equip consumer IoT devices with “reasonable security features.” Ultimately, manufacturers must perform security due diligence demonstrating the incorporation of reasonable security features in their product(s).
Determining what the “reasonable” security measures for consumer IoT devices are is a daunting task for manufacturers. The determination of reasonable security features has been facilitated by baseline-driven security frameworks such as the NIST: Core Cybersecurity Feature Baseline for Securable IoT Devices; A Starting Point for IoT Device Manufacturers (NISTIR 8259), ETSI: Cyber Security for Consumer Internet of Things (ETSI TS 103 645) and CSDE: C2 Consensus on IoT Device Baseline Security (CSDE C2).
The UL IoT Security Rating is a solution for manufacturers that supports and assists them in meeting the threshold of reasonable security features. The IoT Security Rating is a streamlined, yet comprehensive security verification and labelling solution for consumer IoT products. Products are rated according to their implementation of baseline security capabilities in line with industry frameworks and best practices and are assigned a product security label. The label is awarded based on an ascending scale of 5-levels: Bronze, Silver, Gold, Platinum and Diamond. Once the security capabilities of the product have been verified it will receive a corresponding security label specifying the security level achieved.
The IoT Security Rating helps manufacturers to assess and demonstrate their security capabilities and simultaneously prove their due diligence efforts. Labelling supports manufacturers in making product security more transparent and accessible to consumers and can allow for a competitive advantage vis-à-vis competitors. Additionally, it assists consumers in making conscious and informed purchasing decisions.
The IoT Security Rating is made up of seven security categories which have been aligned with frameworks and best practices that combined, currently indicate a broad emerging industry consensus on baseline security for consumer IoT devices. Examples include NISTIR 8259, ETSI TS 103 645 and CSDE C2. The seven security categories include requirements such as securing software updates, best practices for communications protocol security, and data protection.
The IoT Security Rating requirements correspond to a large degree with those mentioned in the NISTIR 8259, ETSI TS 103 645 and CSDE C2 requirements which can be seen in the table below. The IoT Security Rating adds additional requirements which are considered essential to device security such as extensive personal data protection requirements (with additional guidance for GDPR compliance) and the maintenance of a well-documented vulnerability management program. NISTIR 8259, ETSI TS 103 645 and CSDE C2 include further requirements such as the maintenance of an end-of-life or end-of-service policy, event logging and a policy for keeping consumers up to date when a device is due for an update and why the update is necessary.
As consumer IoT security adoption is still in its infancy, there is no doubt that this is a dynamic and fast evolving ecosystem which will see numerous developments and changes in the future. What is essential now, is that there is a shared and widely agreed upon consensus of what is considered to be the fundamental and reasonable security features to be implemented by manufacturers. UL has worked and continues to work closely together with industry leaders in developing and maintaining safe and secure consumer IoT for all.
Keep an eye out for our next blog post, which will contain a detailed discussion on each of the above-mentioned frameworks.
Want to learn more about UL’s IoT Security Rating? Speak with an expert today!