Cybersecurity In-Depth: Getting answers to questions about IT security threats and best practices from trusted cybersecurity professionals and industry experts.

Do Standards Exist That Certify Secure IoT Systems?

The IoT industry remains fragmented with a lot of players, big and small, churning out a lot of products.

Loren Browman, Senior Security Consultant, Optiv

October 20, 2020

1 Min Read
(Image: Buffaloboy via Adobe Stock)

Question: Do standards or labels exist that certify secure Internet of Things (IoT) systems?

Loren Browman, senior security consultant, Optiv: No federally approved testing body currently exists to certify IoT device security in the way we have come to expect UL testing to certify products for safety issues.

The IoT industry remains fragmented with a lot of players, big and small, churning out a lot of products. While these products may be cool and innovative, many are produced without a security budget and are not held to any IoT-specific security standards. We have certainly seen IoT security awareness campaigns from organizations such as NIST and well-laid-out guidelines from associations such as the GSMA and now ISO, but guidelines and recommendations are not the same as certifications or regulated standards.

Product security is an increasingly important topic as the number of devices continues to grow rapidly and we become more reliant on these products and systems to provide access and control over sensitive infrastructure.

When investing in any connected device at an industrial or consumer level, the following can be signs that the manufacturer values security and has implemented best practices throughout the development of its products:

  • They engage in third-party product penetration tests.

  • They leverage existing Platform as a Service (PaaS) IoT solutions from reputable companies, such as Microsoft Azure and Amazon Web Services, which have detailed documentation and extensive security mechanisms.

  • They use secure hardware platforms with no known vulnerabilities.

  • They use updatable firmware in the event a security issue is discovered and needs to be patched.

  • They have transparent security policies and a straight-forward disclosure process.


About the Author(s)

Loren Browman

Senior Security Consultant, Optiv

Loren Browman is a senior security consultant at Optiv. Browman has a demonstrated history of working in the computer and network security industry. He is skilled in device security, reverse engineering, vulnerability assessment, test harness fabrication, and printed circuit board (PCB) design.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights