Following a successful pilot scheme that was supported by funding from the Department for Digital, Culture, Media and Sport, IASME have launched the Internet of Things (IoT) Security Assured scheme.
This new scheme is a vital tool for manufacturers to reassure customers that the device they have purchased has the most important security controls in place. When purchasing a connected product, customers can look for a badge to see if it has been certified.
“IASME has developed the IoT Security Assured certification scheme to provide an accessible, achievable and high-quality way for manufacturers to demonstrate the security of their internet-connected devices and to show they are compliant with best-practice security. When the IoT Security Assured scheme badge is displayed on a device it will reassure the end user that their device has the most important security features included.” Dr Emma Philpott MBE, CEO IASME.
The UK Government is planning to introduce some new legislation that addresses the security of consumer IoT devices. The new legislation will cover three main security features which are aligned with the top three requirements of the European Technical Standard for IoT Security.
Consumer IoT devices will not be allowed to have universal default passwords.
This rule will immediately make it harder for criminals to hack into connected devices.
Consumer IoT devices will have to have a vulnerability disclosure policy
This means that any faults that are discovered in the software (which could be used by a criminal to access the device) after the product is in use, can be addressed in an organised way.
Consumer IoT devices will need to disclose how long they will receive software updates for.
This means that software updates are created and released to maintain the security of the device throughout its declared lifespan.
The IoT Security Assured scheme is aligned with the ETSI technical standard for IoT security, EN 303 645, and with the proposed UK IoT security legislation and guidance. It is also mapped to the IoTSF Security Compliance Framework.
Within the IoT Security Assured scheme, there are three levels of security. The badge which will appear on certified products will show basic, silver or gold depending on the level the product is certified to.
The Basic level is aligned with proposed UK legislation and covers the top three requirements of the ETSI standard.
The Silver level is aligned with the ETSI mandatory requirements and data protection provisions.
The Gold level is aligned with the ETSI mandatory requirements as well as all the additional ETSI recommended requirements and data protection provisions.
The IoT Security Assured scheme works as a verified self-assessment where the manufacturer will answer a set of simple questions about the security controls in place on the connected device and any associated services. A company board member must sign a declaration to confirm that the answers are all true. Once completed, a trained assessor will review the answers and give feedback on any aspect that is not compliant. If the assessment shows that the device meets the security requirements, the organisation will be provided with a certificate and badge for the relevant level to be placed on product packaging to reassure purchasers that their device has that level of security.
The scheme has been designed specifically to be accessible to smaller organisations, micro-businesses and start-ups, as well as larger, more established manufacturers. It will also enable organisations to demonstrate their commitment to best practice security which includes verifying the security of connected devices in their supply chain.
IASME would like to encourage manufacturers to come and talk to them about getting certified. The first 25 applicants will be offered a discounted price.
For more information about the IoT Security Assured scheme and for advice about what to look for when buying an internet-enabled device or how to set up a device securely, please visit our website.