Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
9/27/2019
01:19 PM
50%
50%

Cybersecurity Certification in the Spotlight Again

Swiss technology non-profit group joins others, such as the Obama-era President's Commission, in recommending that certain classes of technology products be tested.

The case for certifying the cybersecurity of specific classes of devices is gaining momentum as cybersecurity professionals worry that the growing number of interdependencies between software, hardware, and online services, puts consumers and workers at risk.

This week, a group of 14 cybersecurity experts at the Supply Chain Security working group of the Cybersecurity Commission of ICTswitzerland called for that country's government to work to establish a testing and certification authority for the nation. The group is not alone: In 2016, the Commission on Enhancing National Cybersecurity formed by the Obama Administration called for similar certification of consumer technology and the creation of a "nutrition label" to collect simple cybersecurity metrics. In addition, other testing initiatives—from NetSecOPEN to the Cyber ITL—are aiming to shed more light on a variety of classes of products. 

The Swiss cybersecurity group aims to test products, evaluate source code, and prevent the insertion of malicious code into critical devices and applications, says Stefan Frei, cybersecurity principal at Accenture and head of the supply chain security group at ICT Switzerland. 

"Looking at supply-chain security, [cybersecurity is] a huge problem—we deploy anything that is given us without thinking," he says. "If those devices are already compromised ... because we have more cyber-physical applications, the result of attacks on that infrastructure is physical harm." 

IoT's Influence

The latest call for cybersecurity certification of products comes as three technology trends are gaining steam. 

First, an increasing number of devices are becoming part of the Internet-of-things—embedded with a processor and connected to the Internet—expanding the attackable surface area of businesses and consumer households alike. There will be more than 25 billion connected devices in 2020, according to business intelligence firm Gartner.

Because more consumer appliances, such as TVs and refrigerators, and industrial devices such as machine controllers and environmental monitors are becoming "smart," untested technology is also becoming embedded in many devices with long lifespans or use-cycles. Non-critical personal electronics typically are replaced every few years. Smartphones, for example, have the shortest lifespan, being replaced every three years on average, while desktop computers last five or six years, according to survey data from small-business IT information firm Spiceworks. Household appliances typically last 10 years and cars last 15 to 17 years on average.

Finally, the deployment of such connected technology into devices that can have a physical impact means that cyber-physical attacks are now a reality. An online attacker's actions can have real-world consequences.

Because there has been little oversight of the technology incorporated into companies' infrastructure and consumer households, the ICTswitzerland report argues that its likely that many organizations have already been compromised.  

"In the absence of a reliable quality inspection of digital products, we have to assume that compromised components are already in use today," the group said. "Further compromised components will be added continuously, sometimes in critical functions."

The group of cybersecurity professionals called for a non-profit testing firm, funded by the companies whose products it tests, to review source code and configurations, to analyze and reverse engineer, and to conduct risk assessments. All testing would be open and the results published. 

The certification authority would work even if it could not test every product, Frei says.

"You don't need to test everything," he says. "The police do not need to have radar at every intersection to prevent speeding. You just need periodic checks."

'Nutrition Labels'

The idea for creating a testing and certification center is not new. The Obama Administration's Report on the President's Commission on Enhancing National Cybersecurity included, among its recommendations, the creation of testing and certification groups that could produce cybersecurity "nutrition labels" to allow consumers to compare technology services and products. 

The current "lack of information leaves most consumers unaware of the risks associated with using technology products and services, how these risks might easily be reduced, or how competing products’ security characteristics compare with each other," the report stated. "Making matters worse, security considerations increasingly may lead to safety concerns, as many Internet-enabled devices can affect the world physically."

While a broad certification system for electronic devices has not been created yet, a number of private organizations and businesses have arisen to test the cybersecurity capabilities of certain classes of—mostly security—products. 

AV-Test and AV-Comparatives both test anti-virus products, while groups such as the ICSA Labs, UL Labs, and NSS Labs both do independent testing of broader classes of products. Because such groups typically may not have open methodologies, various industries have also created their own groups to either inform testing or set industry-approved standards for testing.

The Cellular Telecommunications Industry Association (CTIA), for example, maintains the CTIA’s Cybersecurity Certification Program for wireless devices, and the Anti-Malware Testing Standards Organization (AMTSO) sets industry-approved standards for testing antivirus products.

Related Content

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "The Beginner's Guide to Denial-of-Service Attacks: A Breakdown of Shutdowns"

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Priyaraj
50%
50%
Priyaraj,
User Rank: Apprentice
10/24/2019 | 6:36:19 AM
How to gain knowledge
 

Very informative

<a href="https://www.kaashivinfotech.com/iot-internship/"> iot internships </a>
<a href="https://www.kaashivinfotech.com/inplant-training-in-chennai-for-it/"> inplant training in chennai </a>
<a href="https://www.kaashivinfotech.com/internship-for-automobile-engineering-students/"> internship for automobile engineering students </a>
<a href="https://www.kaashivinfotech.com/internship-for-mca-students/"> internship for mca students in chennai </a>
<a href="https://www.kaashivinfotech.com/internship-for-eee-students/">internship for eee students </a>
<a href="https://www.kaashivinfotech.com/internship-for-aeronautical-engineering-students/"> internship for aeronautical engineering students </a>
<a href="https://www.kaashivinfotech.com/inplant-training-report-for-civil-engineering-students/"> inplant training report for civil engineering </a>
<a href="https://www.kaashivinfotech.com/internship-with-stipend-for-ece-in-chennai/"> internship for ece students in chennai with stipend </a>
<a href="https://www.kaashivinfotech.com/tag/summer-training-for-ece-students-after-second-year/"> summer training for ece students after second year </a>
<a href="https://www.kaashivinfotech.com/python-internship/"> python internship </a>
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5118
PUBLISHED: 2019-11-18
A Security Bypass Vulnerability exists in TBOOT before 1.8.2 in the boot loader module when measuring commandline parameters.
CVE-2019-12422
PUBLISHED: 2019-11-18
Apache Shiro before 1.4.2, when using the default &quot;remember me&quot; configuration, cookies could be susceptible to a padding attack.
CVE-2012-4441
PUBLISHED: 2019-11-18
Cross-site Scripting (XSS) in Jenkins main before 1.482 and LTS before 1.466.2 allows remote attackers to inject arbitrary web script or HTML in the CI game plugin.
CVE-2019-10764
PUBLISHED: 2019-11-18
In elliptic-php versions priot to 1.0.6, Timing attacks might be possible which can result in practical recovery of the long-term private key generated by the library under certain conditions. Leakage of a bit-length of the scalar during scalar multiplication is possible on an elliptic curve which m...
CVE-2019-19117
PUBLISHED: 2019-11-18
/usr/lib/lua/luci/controller/admin/autoupgrade.lua on PHICOMM K2(PSG1218) V22.5.9.163 devices allows remote authenticated users to execute any command via shell metacharacters in the cgi-bin/luci autoUpTime parameter.