IoT
5/25/2016
01:10 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

New Internet Of Things Security-Certification Program Launched

ICSA Labs now offers a security testing program for IoT products, following the recently announced 'CyberUL' security certification program.

Network-connected devices in the industrial and consumer world—aka The Internet of Things (IoT)—now have a second program for testing and certifying their security: ICSA Labs today rolled out its own program for IoT vendors and customers.

ICSA Labs’ new IoT Certification Testing program comes on the heels of that of Underwriters Laboratories, which in April announced its much-anticipated Cybersecurity Assurance Program (UL CAP) that uses a newly created set of standards for IoT and critical infrastructure vendors to use for assessing security vulnerably and weaknesses in their products. ICSA Labs, an independent division of Verizon, says its new program will test six components of IoT devices: alert/logging; cryptography; authentication; communications; physical security; and platform security. 

UL’s program in its first phase tests for known vulnerabilities as well as authentication, access, encryption, and software updates, and plans to issue its first cybersecurity certifications in the third quarter. It tests connected cars, SIM cards and embedded SIMs, mobile devices and chipsets, smart home devices, wearables, and wireless devices.

George Japak, managing director for ICSA Labs, says his organization has been conducting third-party cybersecurity testing for 25 years, while UL’s new program represents a move from its traditional safety heritage to cybersecurity as well. "UL has been around for a very long time and they are well-respected, especially in the safety area. What they’re announcing is new for them ... In our case ... This is our 25th year of having [security] certification and testing programs around different technologies, which started with antivirus,” Japak says.

IoT and industrial products’ security woes are well-known and well-documented, with reams of research on connected car flaws, home automation devices, and plant-floor systems. Concerns over public safety in many of the consumer and industrial devices has raised alarm bells over better securing these devices, many of which are built without security in mind at all. Verizon estimates 25.6 billion IoT devices will be in the world by 2018, up from 9.7 billion in 2014. By 2020, look for 30 billion connected devices to be in the market.

“[IoT] vendors have been slow to adopt security, so they need a little nudge,” ICSA Labs’ Japak says.

Japak notes that IoT products can be anything from a medical device to a video camera. “A device is a device is a device,” connected to the network, he says. “It’s got some sort of embedded or other operating system ... there are no lack of interfaces on these devices. What’s lacking is any desire to secure them. We have a Dead Sea scroll with all of the problems in mobile apps that we test,” for example, he notes. And sensors—the heart and soul of many of these devices—are notoriously all about functionality, not security, according to Japak.

Remember the Ecosystem

IoT security experts say the only way security certification programs will truly improve IoT security, however, is if they provide deep testing of the entire IoT ecosystem. That would encompass the cloud infrastructure used by the product, any mobile or Web apps as well as third-party products that integrate with it, for instance, notes Cesar Cerrudo, CTO of IOActive Labs and an IoT security researcher.

“The deeper the testing the certification goes, the best it would be,” he says. “If you test the IoT device [only], maybe it’s secure, but then when used in real life, [it’s] completely broken by the complex relations with the ecosystem.”

Ted Harrington, executive partner of Independent Security Evaluators, says certification programs for IoT have their pros and cons for sure. “On the one hand, a program like this will undoubtedly have a positive impact on the IoT industry ... Security is still not effectively built into many of these solutions,” he says. An IoT cert program could help an IoT vendor get started in security, he says.

But the tradeoff of such a program is that just because a product earns a certification doesn’t guarantee it’s truly secure, Harrington says. “Where a certification program is very dangerous, is for organizations that would perceive the program as a complete blessing for the security of a product,” he says. “Certification programs must be adaptable in order to work for a wide range of organizations, yet all organizations have unique needs, use cases, and threat models.”

So even an IoT product that earns a certification is likely to still have security gaps, he says. “Target was PCI-compliant, yet Target suffered a security breach. That’s a great case study that compliance doesn’t mean your system is completely resilient. That’s the risk of certification programs.”

Another issue is vendors potentially misusing certifications for marketing purposes. “Some certs end up just being something that companies pay for ... to have a seal to show to customers, but it doesn’t add much real value in terms of security,” IOActive’s Cerrudo says.

ICSA Labs charges a flat fee for an annual contract for its certification testing program. The fee can run from “a few thousand” to more than $100,000, Japak says. Its testbed to date has evaluated everything from DVRs and video cameras to home security devices.

An ICSA Labs certification means that the product underwent a testing program and any vulnerabilities or security weaknesses were fixed; like UL’s, testing occurs on an ongoing basis to catch any new flaws.

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.