The Connectivity Standards Alliance (CSA) Product Security Working Group has announced its new IoT (Internet of Things) Device Security Specification 1.0 alongside an accompanying certification program and Product Security Verified Mark.
The announcement comes following the FCC’s approval of its own federal IoT cybersecurity program, labeled the U.S. Cyber Trust Mark, and arrives as cybersecurity concerns over consumer IoT devices continue to proliferate both consumer and professional discourse amidst international conflict and multiple high profile cyberattacks involving consumer devices.
Rather than competing with the Cyber Mark, however, the Device Security Specification is meant to establish minimum security requirements for IoT devices by unifying the diverse requirements from similar international programs like the Cyber Mark.
The initiative consolidates several international regulations into a single set of requirements, which the CSA says is designed to help streamline the certification process by factoring in criteria from multiple countries and regions within a single evaluative process.
Nearly 200 member companies — including Amazon, Arm, Comcast, Google, Infineon Technologies AG, NXP Semiconductors, Schneider Electric, Signify (Philips Hue and WiZ), and Silicon Labs — have collaborated on the development and validation of the standard.
2024 Lighting Controls and Fixtures Report
Lightapalooza took place in late February, and the growth of the event has mirrored the rapid ascension lighting fixtures and controls.Download your copy now!
“As consumers embrace the convenience and value of IoT devices, the Alliance is dedicated to helping to create more comprehensive protection for consumers. This initiative aims to establish a robust baseline for all consumer IoT devices,” said Steve Hanna of Infineon Technologies AG and Chair of the Product Security Working Group Steering Committee.
“The Alliance’s Product Security Verified Mark and IoT Device Security Specification 1.0 will make it easier for manufacturers to address consumer IoT security requirements around the world.”
In tandem with this announcement, the Cybersecurity Agency of Singapore also announced a mutual recognition agreement with the Connectivity Standards Alliance as a way for device makers to satisfy the requirements laid out in the IoT Cybersecurity Labeling Scheme.
IoT Device Security Specification 1.0 Requirements
The Product Security Team states that to quality for the IoT Device Security Specification, manufacturers must demonstrate a compliance with device security provisions as outlined by the team. This entails supplying justifications and evidence to an Authorized Test Laboratory with expertise in security evaluation and experience certifying products relative to this specification.
These requirements are strictly related to the device’s physical network security, with a separate group within the CSA currently working on data privacy standards for IoT devices.
A few of the listed requirements include:
- A unique identity for each IoT Device
- No hardcoded default passwords, secure storage of sensitive data on the Device
- Secure communications of security-relevant information
- Secure software updates throughout the support period
- Secure development process, including vulnerability management
- Public documentation regarding security including the support period.
Products that meet these requirements will be awarded the Product Security Verified Mark, which the CSA states is designed to bolster consumer confidence when purchasing IoT products.
Additionally, a printed URL, hyperlink, QR code or a combination of these representations on the Product Security Verified Mark will give consumers access to more information about the device’s security features.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!