The case for certifying the cybersecurity of specific classes of devices is gaining momentum as cybersecurity professionals worry that the growing number of interdependencies between software, hardware, and online services, puts consumers and workers at risk.
This week, a group of 14 cybersecurity experts at the Supply Chain Security working group of the Cybersecurity Commission of ICTswitzerland called for that country's government to work to establish a testing and certification authority for the nation. The group is not alone: In 2016, the Commission on Enhancing National Cybersecurity formed by the Obama Administration called for similar certification of consumer technology and the creation of a "nutrition label" to collect simple cybersecurity metrics. In addition, other testing initiatives—from NetSecOPEN to the Cyber ITL—are aiming to shed more light on a variety of classes of products.
The Swiss cybersecurity group aims to test products, evaluate source code, and prevent the insertion of malicious code into critical devices and applications, says Stefan Frei, cybersecurity principal at Accenture and head of the supply chain security group at ICT Switzerland.
"Looking at supply-chain security, [cybersecurity is] a huge problem—we deploy anything that is given us without thinking," he says. "If those devices are already compromised ... because we have more cyber-physical applications, the result of attacks on that infrastructure is physical harm."
The latest call for cybersecurity certification of products comes as three technology trends are gaining steam.
First, an increasing number of devices are becoming part of the Internet-of-things—embedded with a processor and connected to the Internet—expanding the attackable surface area of businesses and consumer households alike. There will be more than 25 billion connected devices in 2020, according to business intelligence firm Gartner.
Because more consumer appliances, such as TVs and refrigerators, and industrial devices such as machine controllers and environmental monitors are becoming "smart," untested technology is also becoming embedded in many devices with long lifespans or use-cycles. Non-critical personal electronics typically are replaced every few years. Smartphones, for example, have the shortest lifespan, being replaced every three years on average, while desktop computers last five or six years, according to survey data from small-business IT information firm Spiceworks. Household appliances typically last 10 years and cars last 15 to 17 years on average.
Finally, the deployment of such connected technology into devices that can have a physical impact means that cyber-physical attacks are now a reality. An online attacker's actions can have real-world consequences.
Because there has been little oversight of the technology incorporated into companies' infrastructure and consumer households, the ICTswitzerland report argues that its likely that many organizations have already been compromised.
"In the absence of a reliable quality inspection of digital products, we have to assume that compromised components are already in use today," the group said. "Further compromised components will be added continuously, sometimes in critical functions."
The group of cybersecurity professionals called for a non-profit testing firm, funded by the companies whose products it tests, to review source code and configurations, to analyze and reverse engineer, and to conduct risk assessments. All testing would be open and the results published.
The certification authority would work even if it could not test every product, Frei says.
"You don't need to test everything," he says. "The police do not need to have radar at every intersection to prevent speeding. You just need periodic checks."
The idea for creating a testing and certification center is not new. The Obama Administration's Report on the President's Commission on Enhancing National Cybersecurity included, among its recommendations, the creation of testing and certification groups that could produce cybersecurity "nutrition labels" to allow consumers to compare technology services and products.
The current "lack of information leaves most consumers unaware of the risks associated with using technology products and services, how these risks might easily be reduced, or how competing products’ security characteristics compare with each other," the report stated. "Making matters worse, security considerations increasingly may lead to safety concerns, as many Internet-enabled devices can affect the world physically."
While a broad certification system for electronic devices has not been created yet, a number of private organizations and businesses have arisen to test the cybersecurity capabilities of certain classes of—mostly security—products.
AV-Test and AV-Comparatives both test anti-virus products, while groups such as the ICSA Labs, UL Labs, and NSS Labs both do independent testing of broader classes of products. Because such groups typically may not have open methodologies, various industries have also created their own groups to either inform testing or set industry-approved standards for testing.
The Cellular Telecommunications Industry Association (CTIA), for example, maintains the CTIA’s Cybersecurity Certification Program for wireless devices, and the Anti-Malware Testing Standards Organization (AMTSO) sets industry-approved standards for testing antivirus products.
- California's IoT Security Law Causing Confusion
- Open Security Tests Gain Momentum With More Lab Partners
- MITRE Changes the Game in Security Product Testing
- Underwriters Laboratories To Launch Cyber Security Certification Program
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "The Beginner's Guide to Denial-of-Service Attacks: A Breakdown of Shutdowns"