Connectivity Standards Alliance debuts IoT product security standard

This project sets out to create a comprehensive IoT cybersecurity standard and certification framework, offering manufacturers a consolidated approach to certify their devices. This initiative simplifies compliance with various international regulations and standards, streamlining the certification process.

“The unveiling of the IoT Device Security Specification 1.0, alongside its certification program and the Product Security Verified Mark, signals an important milestone in bolstering IoT security and building confidence with consumers,” said Tobin Richardson, Alliance President & CEO of the Connectivity Standards Alliance. “By bringing together diverse international regulations into a cohesive specification, the Product Security Certification Program streamlines the process, reduces redundancy, and provides manufacturers with a singular, respected avenue for certifying their devices globally.”

As consumer IoT devices become more prevalent, the need for enhanced security measures has become more critical, spurred by an increase in security breaches and the hijacking of devices. The Product Security Working Group addresses this issue by amalgamating the key requirements from the leading IoT Cybersecurity frameworks of the United States, Singapore, and Europe into a single, streamlined specification and certification program. This unified approach facilitates manufacturers' compliance efforts, bolstering confidence among consumers and regulatory bodies.

“As consumers embrace the convenience and value of IoT devices, the Alliance is dedicated to helping to create more comprehensive protection for consumers. This initiative aims to establish a robust baseline for all consumer IoT devices,” said Steve Hanna of Infineon Technologies AG and Chair of the Product Security Working Group Steering Committee. “The Alliance’s Product Security Verified Mark and IoT Device Security Specification 1.0 will make it easier for manufacturers to address consumer IoT security requirements around the world.”

IoT Device Security Specification 1.0 requirements

The IoT Device Security Specification encapsulates numerous detailed security mandates. Manufacturers are required to prove adherence to these mandates, providing detailed justifications and evidence to an Authorised Test Laboratory with a background in security assessments and a history of certifying products against this specification.

Key requirements include:

• Assigning a unique identity to each IoT Device
• Avoiding hardcoded default passwords
• Securely storing sensitive information on the device
• Ensuring the secure transmission of security-relevant data
• Providing secure software updates for the duration of support
• Implementing a secure development lifecycle, inclusive of vulnerability management
• Offering publicly accessible documentation on security measures, including details of the support period

Close to 200 member companies, such as Amazon, Arm, Comcast, Google, Infineon Technologies AG, NXP Semiconductors, Schneider Electric, Signify (Philips Hue and WiZ), and Silicon Labs, have collaborated to bring the IoT Device Security Specification 1.0, its certification program, and the Product Security Verified Mark to fruition. These organisations have combined their technologies, expertise, and innovations to fulfil the diverse needs of stakeholders, including consumers, manufacturers, and regulatory authorities.

The Product Security Certification Program and Verified Mark

The Product Security Certification Program covers a wide range of smart home devices, such as light bulbs, switches, thermostats, and doorbell cameras, setting baseline requirements for IoT devices. By merging multiple international regulations into a singular set of criteria, the Certification Program simplifies the certification process, enabling manufacturers to comply with the standards of various countries or regions through a single assessment.

The Product Security Verified Mark signifies that a product complies with the security standards of the specification, aiming to enhance consumer trust. Displayed on certified product packaging, in-store signage, and online platforms, this mark signifies a commitment to security, fostering consumer confidence. Additionally, it features a URL, hyperlink, QR code, or a mix of these elements, directing consumers to further information about the device's security attributes.

Looking forward

As technology evolves and new threats arise, the Product Security Working Group is dedicated to continually updating the IoT Security Device Specification and its certification program.