CSA establishes IoT device security specification

  • March 20, 2024
  • Steve Rogerson

The Connectivity Standards Alliance (CSA) has released its IoT Device Security Specification 1.0, with an accompanying certification programme and product security verified mark.

This initiative aims to establish a unified IoT cyber-security standard and certification programme, providing manufacturers a one-stop way to certify their devices, enabling them to comply with multiple international regulations and standards more easily.

“The unveiling of the IoT Device Security Specification 1.0, alongside its certification programme and the product security verified mark, signals an important milestone in bolstering IoT security and building confidence with consumers,” said Tobin Richardson, CEO of the CSA (csa-iot.org). “By bringing together diverse international regulations into a cohesive specification, the product security certification programme streamlines the process, reduces redundancy and provides manufacturers with a singular, respected avenue for certifying their devices globally.”

With the increasing adoption of consumer IoT devices, there is a heightened emphasis on security due to a rise in incidents involving breaches and malicious device hijackings. The CSA’s product security working group aims to meet this challenge by consolidating requirements from the three most popular IoT cyber-security baselines from the USA, Singapore and Europe into a single specification and certification programme. This unifying effort helps manufacturers more easily and efficiently address these regulatory regimes’ requirements aiming to instil confidence in consumers and regulators.

“As consumers embrace the convenience and value of IoT devices, the alliance is dedicated to helping to create more comprehensive protection for consumers,” said Steve Hanna of Infineon and chair of the product security working group steering committee. “This initiative aims to establish a robust baseline for all consumer IoT devices. The alliance’s product security verified mark and IoT Device Security Specification 1.0 will make it easier for manufacturers to address consumer IoT security requirements around the world.”

The specification includes dozens of specific device security provisions. IoT device manufacturers must demonstrate compliance with those provisions, supplying justifications and evidence to an authorised test laboratory with expertise in security evaluation and experience certifying products relative to this specification.

Highlights of the specific requirements include: unique identity for each IoT device; no hardcoded default passwords; secure storage of sensitive data on the device; secure communications of security-relevant information; secure software updates throughout the support period; secure development process, including vulnerability management; and public documentation regarding security, including the support period.

Nearly 200 member companies have collaborated, pooling related technologies, expertise and innovations enabling the IoT Device Security Specification 1.0, the accompanying certification programme and product security verified mark to meet the diverse needs of stakeholders, including consumers, device manufacturers and regulators. Together, these companies spearheaded the process by driving requirements and specification development and ultimately helping validate the final specification.

Encompassing a broad spectrum of smart home devices such as light bulbs, switches, thermostats and doorbell cameras, the product security certification programme establishes minimum requirements for IoT devices. By consolidating several international regulations into a single set of requirements, the certification programme streamlines the process, helping manufacturers meet certification criteria from multiple countries or regions with a single evaluation.

The product security verified mark is confirmation a product meets the specification’s security requirements, with the goal of inspiring consumer confidence. When displayed prominently on certified product packaging, store signage and online platforms, this verified mark can build trust by serving as a marker for secure IoT devices.

The CSA and the Cyber Security Agency of Singapore (www.csa.gov.sg) have signed a mutual recognition arrangement (MRA), solidifying their dedication to recognising their respective cyber-security labels for consumer IoT devices.

This MRA is the outcome of collaborative discussions aimed at fostering global cooperation, advancing the harmonisation of standards, reducing duplicate testing procedures and costs for manufacturers, and improving security for consumer IoT across geographic boundaries.

The relationship should allow for ongoing collaboration to strengthen and enhance efforts and information exchange in areas broadly related to consumer IoT labelling, including regulations, requirements, conformity assessment procedures, standards and standardisation, and other practices.

“We have long-admired Singapore’s proactive stance to improve IoT security for its citizens through their labelling programme, and we are honoured to have reached an agreement with them on the heels of our own programme launch,” said Richardson. “We look forward to continuing our collaboration with their Cyber Security Agency and expanding our programme’s global reach for the benefit of both manufacturers and consumers.”

Chua Kuan Seah, deputy chief executive at the Cyber Security Agency of Singapore, added: “Since the launch of our cyber-security labelling scheme in 2020, one of our key objectives has been to achieve global alignment for consumer IoT cyber security. The signing of this agreement brings us closer to that goal. Such harmonisation in cyber-security requirements and mutual recognition will provide greater incentives to manufacturers to incorporate cyber security-by-design and cyber security-by-default into their IoT devices.”