Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Edge Ask The Experts

03:15 PM
Loren Browman
Loren Browman
Ask the Experts
Connect Directly

Do Standards Exist That Certify Secure IoT Systems?

The IoT industry remains fragmented with a lot of players, big and small, churning out a lot of products.

(Image: Buffaloboy via Adobe Stock)
(Image: Buffaloboy via Adobe Stock)

Question: Do standards or labels exist that certify secure Internet of Things (IoT) systems?

Loren Browman, senior security consultant, Optiv: No federally approved testing body currently exists to certify IoT device security in the way we have come to expect UL testing to certify products for safety issues.

The IoT industry remains fragmented with a lot of players, big and small, churning out a lot of products. While these products may be cool and innovative, many are produced without a security budget and are not held to any IoT-specific security standards. We have certainly seen IoT security awareness campaigns from organizations such as NIST and well-laid-out guidelines from associations such as the GSMA and now ISO, but guidelines and recommendations are not the same as certifications or regulated standards.

Product security is an increasingly important topic as the number of devices continues to grow rapidly and we become more reliant on these products and systems to provide access and control over sensitive infrastructure.

When investing in any connected device at an industrial or consumer level, the following can be signs that the manufacturer values security and has implemented best practices throughout the development of its products:

  • They engage in third-party product penetration tests.
  • They leverage existing Platform as a Service (PaaS) IoT solutions from reputable companies, such as Microsoft Azure and Amazon Web Services, which have detailed documentation and extensive security mechanisms.
  • They use secure hardware platforms with no known vulnerabilities.
  • They use updatable firmware in the event a security issue is discovered and needs to be patched.
  • They have transparent security policies and a straight-forward disclosure process.


Loren Browman is a senior security consultant at Optiv. Browman has a demonstrated history of working in the computer and network security industry. He is skilled in device security, reverse engineering, vulnerability assessment, test harness fabrication, and printed circuit ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Ninja
1/14/2021 | 12:23:09 PM
There are a few
Government - ATC Resources (army.mil) US Aberdeen testing grounds, they test and certify systems used by the Military

Private sector - List of AV Testing Labs - AV-Comparatives (av-comparatives.org) NSS Labs is one that I am mostly familiar with, they give companies the ability to test their wares, NSS does not provide the ability to certify, SE Labs provide the ability to test and certify. NSS Labs will provide the certification capability, you just have to provide them with the metrics and requirements of what is considered a valid test.

Cartoon Caption Winner: Magic May
Flash Poll