Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
9/27/2019
01:19 PM
50%
50%

Cybersecurity Certification in the Spotlight Again

Swiss technology non-profit group joins others, such as the Obama-era President's Commission, in recommending that certain classes of technology products be tested.

The case for certifying the cybersecurity of specific classes of devices is gaining momentum as cybersecurity professionals worry that the growing number of interdependencies between software, hardware, and online services, puts consumers and workers at risk.

This week, a group of 14 cybersecurity experts at the Supply Chain Security working group of the Cybersecurity Commission of ICTswitzerland called for that country's government to work to establish a testing and certification authority for the nation. The group is not alone: In 2016, the Commission on Enhancing National Cybersecurity formed by the Obama Administration called for similar certification of consumer technology and the creation of a "nutrition label" to collect simple cybersecurity metrics. In addition, other testing initiatives—from NetSecOPEN to the Cyber ITL—are aiming to shed more light on a variety of classes of products. 

The Swiss cybersecurity group aims to test products, evaluate source code, and prevent the insertion of malicious code into critical devices and applications, says Stefan Frei, cybersecurity principal at Accenture and head of the supply chain security group at ICT Switzerland. 

"Looking at supply-chain security, [cybersecurity is] a huge problem—we deploy anything that is given us without thinking," he says. "If those devices are already compromised ... because we have more cyber-physical applications, the result of attacks on that infrastructure is physical harm." 

IoT's Influence

The latest call for cybersecurity certification of products comes as three technology trends are gaining steam. 

First, an increasing number of devices are becoming part of the Internet-of-things—embedded with a processor and connected to the Internet—expanding the attackable surface area of businesses and consumer households alike. There will be more than 25 billion connected devices in 2020, according to business intelligence firm Gartner.

Because more consumer appliances, such as TVs and refrigerators, and industrial devices such as machine controllers and environmental monitors are becoming "smart," untested technology is also becoming embedded in many devices with long lifespans or use-cycles. Non-critical personal electronics typically are replaced every few years. Smartphones, for example, have the shortest lifespan, being replaced every three years on average, while desktop computers last five or six years, according to survey data from small-business IT information firm Spiceworks. Household appliances typically last 10 years and cars last 15 to 17 years on average.

Finally, the deployment of such connected technology into devices that can have a physical impact means that cyber-physical attacks are now a reality. An online attacker's actions can have real-world consequences.

Because there has been little oversight of the technology incorporated into companies' infrastructure and consumer households, the ICTswitzerland report argues that its likely that many organizations have already been compromised.  

"In the absence of a reliable quality inspection of digital products, we have to assume that compromised components are already in use today," the group said. "Further compromised components will be added continuously, sometimes in critical functions."

The group of cybersecurity professionals called for a non-profit testing firm, funded by the companies whose products it tests, to review source code and configurations, to analyze and reverse engineer, and to conduct risk assessments. All testing would be open and the results published. 

The certification authority would work even if it could not test every product, Frei says.

"You don't need to test everything," he says. "The police do not need to have radar at every intersection to prevent speeding. You just need periodic checks."

'Nutrition Labels'

The idea for creating a testing and certification center is not new. The Obama Administration's Report on the President's Commission on Enhancing National Cybersecurity included, among its recommendations, the creation of testing and certification groups that could produce cybersecurity "nutrition labels" to allow consumers to compare technology services and products. 

The current "lack of information leaves most consumers unaware of the risks associated with using technology products and services, how these risks might easily be reduced, or how competing products’ security characteristics compare with each other," the report stated. "Making matters worse, security considerations increasingly may lead to safety concerns, as many Internet-enabled devices can affect the world physically."

While a broad certification system for electronic devices has not been created yet, a number of private organizations and businesses have arisen to test the cybersecurity capabilities of certain classes of—mostly security—products. 

AV-Test and AV-Comparatives both test anti-virus products, while groups such as the ICSA Labs, UL Labs, and NSS Labs both do independent testing of broader classes of products. Because such groups typically may not have open methodologies, various industries have also created their own groups to either inform testing or set industry-approved standards for testing.

The Cellular Telecommunications Industry Association (CTIA), for example, maintains the CTIA’s Cybersecurity Certification Program for wireless devices, and the Anti-Malware Testing Standards Organization (AMTSO) sets industry-approved standards for testing antivirus products.

Related Content

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "The Beginner's Guide to Denial-of-Service Attacks: A Breakdown of Shutdowns"

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Priyaraj
50%
50%
Priyaraj,
User Rank: Apprentice
10/24/2019 | 6:36:19 AM
How to gain knowledge
 

Very informative

<a href="https://www.kaashivinfotech.com/iot-internship/"> iot internships </a>
<a href="https://www.kaashivinfotech.com/inplant-training-in-chennai-for-it/"> inplant training in chennai </a>
<a href="https://www.kaashivinfotech.com/internship-for-automobile-engineering-students/"> internship for automobile engineering students </a>
<a href="https://www.kaashivinfotech.com/internship-for-mca-students/"> internship for mca students in chennai </a>
<a href="https://www.kaashivinfotech.com/internship-for-eee-students/">internship for eee students </a>
<a href="https://www.kaashivinfotech.com/internship-for-aeronautical-engineering-students/"> internship for aeronautical engineering students </a>
<a href="https://www.kaashivinfotech.com/inplant-training-report-for-civil-engineering-students/"> inplant training report for civil engineering </a>
<a href="https://www.kaashivinfotech.com/internship-with-stipend-for-ece-in-chennai/"> internship for ece students in chennai with stipend </a>
<a href="https://www.kaashivinfotech.com/tag/summer-training-for-ece-students-after-second-year/"> summer training for ece students after second year </a>
<a href="https://www.kaashivinfotech.com/python-internship/"> python internship </a>
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19740
PUBLISHED: 2019-12-12
Octeth Oempro 4.7 allows SQL injection. The parameter CampaignID in Campaign.Get is vulnerable.
CVE-2019-19746
PUBLISHED: 2019-12-12
make_arrow in arrow.c in Xfig fig2dev 3.2.7b allows a segmentation fault and out-of-bounds write because of an integer overflow via a large arrow type.
CVE-2019-19748
PUBLISHED: 2019-12-12
The Work Time Calendar app before 4.7.1 for Jira allows XSS.
CVE-2017-18640
PUBLISHED: 2019-12-12
The Alias feature in SnakeYAML 1.18 allows entity expansion during a load operation, a related issue to CVE-2003-1564.
CVE-2019-19726
PUBLISHED: 2019-12-12
OpenBSD through 6.6 allows local users to escalate to root because a check for LD_LIBRARY_PATH in setuid programs can be defeated by setting a very small RLIMIT_DATA resource limit. When executing chpass or passwd (which are setuid root), _dl_setup_env in ld.so tries to strip LD_LIBRARY_PATH from th...