Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

01:19 PM

Cybersecurity Certification in the Spotlight Again

Swiss technology non-profit group joins others, such as the Obama-era President's Commission, in recommending that certain classes of technology products be tested.

The case for certifying the cybersecurity of specific classes of devices is gaining momentum as cybersecurity professionals worry that the growing number of interdependencies between software, hardware, and online services, puts consumers and workers at risk.

This week, a group of 14 cybersecurity experts at the Supply Chain Security working group of the Cybersecurity Commission of ICTswitzerland called for that country's government to work to establish a testing and certification authority for the nation. The group is not alone: In 2016, the Commission on Enhancing National Cybersecurity formed by the Obama Administration called for similar certification of consumer technology and the creation of a "nutrition label" to collect simple cybersecurity metrics. In addition, other testing initiatives—from NetSecOPEN to the Cyber ITL—are aiming to shed more light on a variety of classes of products. 

The Swiss cybersecurity group aims to test products, evaluate source code, and prevent the insertion of malicious code into critical devices and applications, says Stefan Frei, cybersecurity principal at Accenture and head of the supply chain security group at ICT Switzerland. 

"Looking at supply-chain security, [cybersecurity is] a huge problem—we deploy anything that is given us without thinking," he says. "If those devices are already compromised ... because we have more cyber-physical applications, the result of attacks on that infrastructure is physical harm." 

IoT's Influence

The latest call for cybersecurity certification of products comes as three technology trends are gaining steam. 

First, an increasing number of devices are becoming part of the Internet-of-things—embedded with a processor and connected to the Internet—expanding the attackable surface area of businesses and consumer households alike. There will be more than 25 billion connected devices in 2020, according to business intelligence firm Gartner.

Because more consumer appliances, such as TVs and refrigerators, and industrial devices such as machine controllers and environmental monitors are becoming "smart," untested technology is also becoming embedded in many devices with long lifespans or use-cycles. Non-critical personal electronics typically are replaced every few years. Smartphones, for example, have the shortest lifespan, being replaced every three years on average, while desktop computers last five or six years, according to survey data from small-business IT information firm Spiceworks. Household appliances typically last 10 years and cars last 15 to 17 years on average.

Finally, the deployment of such connected technology into devices that can have a physical impact means that cyber-physical attacks are now a reality. An online attacker's actions can have real-world consequences.

Because there has been little oversight of the technology incorporated into companies' infrastructure and consumer households, the ICTswitzerland report argues that its likely that many organizations have already been compromised.  

"In the absence of a reliable quality inspection of digital products, we have to assume that compromised components are already in use today," the group said. "Further compromised components will be added continuously, sometimes in critical functions."

The group of cybersecurity professionals called for a non-profit testing firm, funded by the companies whose products it tests, to review source code and configurations, to analyze and reverse engineer, and to conduct risk assessments. All testing would be open and the results published. 

The certification authority would work even if it could not test every product, Frei says.

"You don't need to test everything," he says. "The police do not need to have radar at every intersection to prevent speeding. You just need periodic checks."

'Nutrition Labels'

The idea for creating a testing and certification center is not new. The Obama Administration's Report on the President's Commission on Enhancing National Cybersecurity included, among its recommendations, the creation of testing and certification groups that could produce cybersecurity "nutrition labels" to allow consumers to compare technology services and products. 

The current "lack of information leaves most consumers unaware of the risks associated with using technology products and services, how these risks might easily be reduced, or how competing products’ security characteristics compare with each other," the report stated. "Making matters worse, security considerations increasingly may lead to safety concerns, as many Internet-enabled devices can affect the world physically."

While a broad certification system for electronic devices has not been created yet, a number of private organizations and businesses have arisen to test the cybersecurity capabilities of certain classes of—mostly security—products. 

AV-Test and AV-Comparatives both test anti-virus products, while groups such as the ICSA Labs, UL Labs, and NSS Labs both do independent testing of broader classes of products. Because such groups typically may not have open methodologies, various industries have also created their own groups to either inform testing or set industry-approved standards for testing.

The Cellular Telecommunications Industry Association (CTIA), for example, maintains the CTIA’s Cybersecurity Certification Program for wireless devices, and the Anti-Malware Testing Standards Organization (AMTSO) sets industry-approved standards for testing antivirus products.

Related Content

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "The Beginner's Guide to Denial-of-Service Attacks: A Breakdown of Shutdowns"

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
10/24/2019 | 6:36:19 AM
How to gain knowledge

Very informative

<a href="https://www.kaashivinfotech.com/iot-internship/"> iot internships </a>
<a href="https://www.kaashivinfotech.com/inplant-training-in-chennai-for-it/"> inplant training in chennai </a>
<a href="https://www.kaashivinfotech.com/internship-for-automobile-engineering-students/"> internship for automobile engineering students </a>
<a href="https://www.kaashivinfotech.com/internship-for-mca-students/"> internship for mca students in chennai </a>
<a href="https://www.kaashivinfotech.com/internship-for-eee-students/">internship for eee students </a>
<a href="https://www.kaashivinfotech.com/internship-for-aeronautical-engineering-students/"> internship for aeronautical engineering students </a>
<a href="https://www.kaashivinfotech.com/inplant-training-report-for-civil-engineering-students/"> inplant training report for civil engineering </a>
<a href="https://www.kaashivinfotech.com/internship-with-stipend-for-ece-in-chennai/"> internship for ece students in chennai with stipend </a>
<a href="https://www.kaashivinfotech.com/tag/summer-training-for-ece-students-after-second-year/"> summer training for ece students after second year </a>
<a href="https://www.kaashivinfotech.com/python-internship/"> python internship </a>
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-11-30
SQL injection vulnerability in request.cgi in Synology SafeAccess before 1.2.3-0234 allows remote attackers to execute arbitrary SQL commands via the domain parameter.
PUBLISHED: 2020-11-30
Multiple cross-site scripting (XSS) vulnerabilities in Synology SafeAccess before 1.2.3-0234 allow remote attackers to inject arbitrary web script or HTML via the (1) domain or (2) profile parameter.
PUBLISHED: 2020-11-30
An issue was discovered on Fujitsu Eternus Storage DX200 S4 devices through 2020-11-25. After logging into the portal as a root user (using any web browser), the portal can be accessed with root privileges when the URI cgi-bin/csp?cspid=&amp;csppage=cgi_PgOverview&amp;csplang=en is visit...
PUBLISHED: 2020-11-30
hw/usb/hcd-ohci.c in QEMU 5.0.0 has a stack-based buffer over-read via values obtained from the host controller driver.
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. It is possible to elevate the privilege of a CLI user (to full administrative access) by using the password [email protected]#y$z%x6x7q8c9z) for the e...