Network-connected devices in the industrial and consumer world—aka The Internet of Things (IoT)—now have a second program for testing and certifying their security: ICSA Labs today rolled out its own program for IoT vendors and customers.
ICSA Labs’ new IoT Certification Testing program comes on the heels of that of Underwriters Laboratories, which in April announced its much-anticipated Cybersecurity Assurance Program (UL CAP) that uses a newly created set of standards for IoT and critical infrastructure vendors to use for assessing security vulnerably and weaknesses in their products. ICSA Labs, an independent division of Verizon, says its new program will test six components of IoT devices: alert/logging; cryptography; authentication; communications; physical security; and platform security.
UL’s program in its first phase tests for known vulnerabilities as well as authentication, access, encryption, and software updates, and plans to issue its first cybersecurity certifications in the third quarter. It tests connected cars, SIM cards and embedded SIMs, mobile devices and chipsets, smart home devices, wearables, and wireless devices.
George Japak, managing director for ICSA Labs, says his organization has been conducting third-party cybersecurity testing for 25 years, while UL’s new program represents a move from its traditional safety heritage to cybersecurity as well. "UL has been around for a very long time and they are well-respected, especially in the safety area. What they’re announcing is new for them ... In our case ... This is our 25th year of having [security] certification and testing programs around different technologies, which started with antivirus,” Japak says.
IoT and industrial products’ security woes are well-known and well-documented, with reams of research on connected car flaws, home automation devices, and plant-floor systems. Concerns over public safety in many of the consumer and industrial devices has raised alarm bells over better securing these devices, many of which are built without security in mind at all. Verizon estimates 25.6 billion IoT devices will be in the world by 2018, up from 9.7 billion in 2014. By 2020, look for 30 billion connected devices to be in the market.
“[IoT] vendors have been slow to adopt security, so they need a little nudge,” ICSA Labs’ Japak says.
Japak notes that IoT products can be anything from a medical device to a video camera. “A device is a device is a device,” connected to the network, he says. “It’s got some sort of embedded or other operating system ... there are no lack of interfaces on these devices. What’s lacking is any desire to secure them. We have a Dead Sea scroll with all of the problems in mobile apps that we test,” for example, he notes. And sensors—the heart and soul of many of these devices—are notoriously all about functionality, not security, according to Japak.
Remember the Ecosystem
IoT security experts say the only way security certification programs will truly improve IoT security, however, is if they provide deep testing of the entire IoT ecosystem. That would encompass the cloud infrastructure used by the product, any mobile or Web apps as well as third-party products that integrate with it, for instance, notes Cesar Cerrudo, CTO of IOActive Labs and an IoT security researcher.
“The deeper the testing the certification goes, the best it would be,” he says. “If you test the IoT device [only], maybe it’s secure, but then when used in real life, [it’s] completely broken by the complex relations with the ecosystem.”
Ted Harrington, executive partner of Independent Security Evaluators, says certification programs for IoT have their pros and cons for sure. “On the one hand, a program like this will undoubtedly have a positive impact on the IoT industry ... Security is still not effectively built into many of these solutions,” he says. An IoT cert program could help an IoT vendor get started in security, he says.
But the tradeoff of such a program is that just because a product earns a certification doesn’t guarantee it’s truly secure, Harrington says. “Where a certification program is very dangerous, is for organizations that would perceive the program as a complete blessing for the security of a product,” he says. “Certification programs must be adaptable in order to work for a wide range of organizations, yet all organizations have unique needs, use cases, and threat models.”
So even an IoT product that earns a certification is likely to still have security gaps, he says. “Target was PCI-compliant, yet Target suffered a security breach. That’s a great case study that compliance doesn’t mean your system is completely resilient. That’s the risk of certification programs.”
Another issue is vendors potentially misusing certifications for marketing purposes. “Some certs end up just being something that companies pay for ... to have a seal to show to customers, but it doesn’t add much real value in terms of security,” IOActive’s Cerrudo says.
ICSA Labs charges a flat fee for an annual contract for its certification testing program. The fee can run from “a few thousand” to more than $100,000, Japak says. Its testbed to date has evaluated everything from DVRs and video cameras to home security devices.
An ICSA Labs certification means that the product underwent a testing program and any vulnerabilities or security weaknesses were fixed; like UL’s, testing occurs on an ongoing basis to catch any new flaws.