It’s Time to Harmonize IoT Cybersecurity

The consumer Internet of Things (IoT) is a global, borderless phenomenon, and everyone expects their IoT devices to work safely, no matter where they live or where their devices are deployed. Unfortunately, harmonization of cybersecurity standards has been difficult to obtain.

Network-connected devices have been around for years, but many of them still miss the basics of security best practices. For example, many devices lack Vulnerability Disclosure Policies, which establish the communications framework for reporting any discovered security weaknesses and vulnerabilities.

Policymakers around the world are beginning to recognize the importance of cybersecurity in consumer IoT, and many initiatives  are underway to encourage the adoption of security best practices. At present, there are roughly two dozen regulatory organizations, representing more than 40 countries, who are developing IoT cybersecurity regulations or seeking certification to cybersecurity schemes for IoT products in their regions. These are all important initiatives, but they lack harmonization.

Several organizations, including the European Telecommunications Standards Institute (ETSI), the National Institute of Standards and Technology (NIST) in the US, and the International Organization for Standardization / International Electrotechnical Commission (ISO/IEC) are taking the lead, but, despite their best efforts, there are still significant variations in standards for IoT cybersecurity.

This has created a fragmented picture globally, with different regions taking different approaches. The lack of unification makes it hard for manufacturers to identify best practices and pursue certifications, making it difficult for end users to know whether the products they’re considering will be adequately protected.

IoT Device Security Specification Consolidates Most Important Requirements

Eliminating fragmentation in IoT cybersecurity will help manufacturers develop faster and more cost-effectively, and would make it easier for end users to buy and install the features they want. The cost for the manufacturer addressing multiple independent conformance assessments can come in various forms. For example, resource allocation is when there are limited resources and they are needed in the development or support for the product. The cost for assessment and conformance itself, which in some cases could be small, in some instances goes in thousands of dollars. Thinking about having to do this more than once is onerous. Putting this in the context of dozens of global conformance exercises sounds like a very expensive ambition.

The Connectivity Standards Alliance  (CSA), an industry association dedicated to making the IoT more accessible, secure and usable, aims to use harmonization to eliminate cybersecurity fragmentation. The CSA creates and promotes universal open standards that enable products to securely connect and interact. Building on the momentum created with Matter, the CSA’s interoperability standard for automated homes, the CSA established a Product Security Working Group (PSWG) , to have a common certification platform, consolidating different security conformance requirements for consumer products.

The PSWG has been working with one simple idea in mind: we don’t need “another” cybersecurity standard. What we need is to consolidate the most important requirements from global policies and standards for consumer IoT devices. This is to support IoT device vendors to perform the security assessment of their products once, using it as evidence of conformance to multiple programs worldwide. In parallel, the program issues a Verified Mark that consumers can recognize on products following security best practices as verified during the security assessment carried out by the Alliance.

Nearly 200 CSA member companies have collaborated, pooling related technologies, expertise and innovations to create the recently announced “IoT Device Security Specification.”

NXP has been an active contributor to the definition of the Version 1.0 specification and the accompanying certification program, the Product Security Verified Mark. NXP committed multiple resources to leadership roles within the Alliance, at the board of directors, chairing the product security regulatory, technical and certification subgroups, and as a member of the product security steering committee. All to contribute, in partnership with members of the entire value chain, to address this important issue in the industry. The Verified Mark is a big step toward the successful adoption of cybersecurity standards for the IoT, and we’re excited to have been part of its creation.

Working in Harmony to Create IoT Device Security Specification

Release v1.0 of the CSA’s IoT Device Security Specification has been  announced at the Alliance Member Meeting in Singapore on March 18, 2024. The specification reflects several widely adopted international standards that cover baseline requirements for cybersecurity in the consumer IoT, including ETSI EN 303 645  , NIST IR 8425 , which will be the basis  for a US Cyber Trust Security Mark, and the Singapore Cybersecurity Label Scheme (CLS) , which is one of the most mature labeling programs for consumer IoT security.

As the adoption of policies for consumer IoT security continues to grow, with programs like the announcement of a US Cyber Trust Mark  and the future EU Cyber Resilience Act (CRA) , the certification harmonization work being done by the CSA PSWG becomes increasingly relevant. The first step toward this objective is the Mutual Recognition Arrangement signature , between the Connectivity Standards Alliance and the Cyber Security Agency of Singapore, on Cybersecurity Labels for Consumer IoT.

CSA's Product Security Certification Program and Verified Mark

Encompassing a broad spectrum of smart-home devices, such as light bulbs, switches, thermostats, doorbell cameras and more, CSA's Product Security Certification Program establishes minimum requirements for IoT devices. By consolidating several international regulations into a single set of requirements, this Certification Program streamlines the process, helping manufacturers meet certification criteria from multiple countries or regions with a single evaluation. The CSA Product Security Verified Mark confirms that a product meets the specification’s security requirements.

The Verified Mark includes dozens of specific provisions for device security. IoT device manufacturers must comply with all the provisions, supplying justifications and evidence to an Authorized Test Laboratory with expertise in security evaluation and experience certifying products relative to the specification.

Here are some of the requirements that are part of Verified Mark certification:

• Unique identity for each IoT device
• No hardcoded default passwords
• Process isolation
• Secure storage of sensitive data on the device
• Secure communications of security-relevant information
• Secure software updates throughout the support period
• Secure development process, including vulnerability management
• Public documentation regarding security, including the support period

NXP Is Ready for Verified Mark Certification

During the pilot phase of the program, NXP tri-radio wireless MCU RW612 (Wi-Fi® 6, Bluetooth® Low Energy 5.3, 802.15.4), NXPs multiprotocol wireless MCU K32W148, as well as i.MX 93 application processor with companion EdgeLock® SE051 Secure Element, have successfully fulfilled requirements to build certified smart consumer products and allow them to display CSA’s Verified Mark, along with providing all the necessary security capabilities to build secure and interoperable Matter products.

Above mentioned wireless MCUs and application processors all feature advanced security, embedding in particular EdgeLock Secure Enclave and native support of NXP EdgeLock 2GO key management services, bringing resilience in a continuously evolving cyber landscape.

While the CSA is committed to making the IoT easier to use, we at NXP are committed to making it easier to deploy and deliver IoT security. That’s one of the reasons why, in 2020, we launched a company-wide program, called EdgeLock Assurance, a pioneering and holistic program covering the technical and nontechnical aspects of security and supporting CSA’s Verified Mark.

A Bright Future

In a not too far distant future, consumers won’t have to worry about whether or not their IoT devices work safely, no matter where they live or where their devices are deployed.

It’s a future that follows the principles of “secure by design,” where products are designed to be foundationally secure. And, by using both standardization and harmonization, we can ensure that the consumer IoT continues to securely address the needs of our increasingly digital society.

Authors

Denis NOЁL

Denis is currently Director Strategy and Marketing in the Business Unit Secure Connected Edge at NXP Semiconductors. In this role he is responsible for the security strategy across entire NXP Edge Processing portfolio, and responsible for the Go-to-Market on NXP MCU products in Industrial. Denis has extensive expertise in the areas of connectivity, security and semiconductors with more than 25 years of experience in global High-Tech companies. Most recently, Denis served as Head of Product Marketing for Smart Product Authentication, driving the adoption of NFC, discrete secure elements and cloud security services in the IoT space. Prior to that, Denis held several business development, marketing, R&D and management positions at Thales, Philips and later NXP. He led multiple innovation and technology development projects in such fields as wireless LAN, ultra-low power wireless body area networks (WBAN), in-vehicle networks, avionics transmissions, digital video broadcasting systems and secure RFID tags. Denis holds a M.S. degree in Electrical Engineering and M.S. degree in Management from University of Louvain-La-Neuve (UCL), Belgium.

Carlos Serratos

Carlos is a specialist in IoT security and regulatory compliance. In his role as IoT Certification Expert at NXP, he engages with policymakers, regulators, and industry across verticals and regions, addressing trust enablement issues for compliance, risk management, and accountability purposes. He's a matter expert in security regulatory compliance, the development of schemes and standards, and their applicability in IoT markets. He is currently participating in the Connectivity Standards Alliance Product Security Working Group, co-chairing the Product Security Certification and Regulatory activities.