Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
5/25/2016
01:10 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

New Internet Of Things Security-Certification Program Launched

ICSA Labs now offers a security testing program for IoT products, following the recently announced 'CyberUL' security certification program.

Network-connected devices in the industrial and consumer world—aka The Internet of Things (IoT)—now have a second program for testing and certifying their security: ICSA Labs today rolled out its own program for IoT vendors and customers.

ICSA Labs’ new IoT Certification Testing program comes on the heels of that of Underwriters Laboratories, which in April announced its much-anticipated Cybersecurity Assurance Program (UL CAP) that uses a newly created set of standards for IoT and critical infrastructure vendors to use for assessing security vulnerably and weaknesses in their products. ICSA Labs, an independent division of Verizon, says its new program will test six components of IoT devices: alert/logging; cryptography; authentication; communications; physical security; and platform security. 

UL’s program in its first phase tests for known vulnerabilities as well as authentication, access, encryption, and software updates, and plans to issue its first cybersecurity certifications in the third quarter. It tests connected cars, SIM cards and embedded SIMs, mobile devices and chipsets, smart home devices, wearables, and wireless devices.

George Japak, managing director for ICSA Labs, says his organization has been conducting third-party cybersecurity testing for 25 years, while UL’s new program represents a move from its traditional safety heritage to cybersecurity as well. "UL has been around for a very long time and they are well-respected, especially in the safety area. What they’re announcing is new for them ... In our case ... This is our 25th year of having [security] certification and testing programs around different technologies, which started with antivirus,” Japak says.

IoT and industrial products’ security woes are well-known and well-documented, with reams of research on connected car flaws, home automation devices, and plant-floor systems. Concerns over public safety in many of the consumer and industrial devices has raised alarm bells over better securing these devices, many of which are built without security in mind at all. Verizon estimates 25.6 billion IoT devices will be in the world by 2018, up from 9.7 billion in 2014. By 2020, look for 30 billion connected devices to be in the market.

“[IoT] vendors have been slow to adopt security, so they need a little nudge,” ICSA Labs’ Japak says.

Japak notes that IoT products can be anything from a medical device to a video camera. “A device is a device is a device,” connected to the network, he says. “It’s got some sort of embedded or other operating system ... there are no lack of interfaces on these devices. What’s lacking is any desire to secure them. We have a Dead Sea scroll with all of the problems in mobile apps that we test,” for example, he notes. And sensors—the heart and soul of many of these devices—are notoriously all about functionality, not security, according to Japak.

Remember the Ecosystem

IoT security experts say the only way security certification programs will truly improve IoT security, however, is if they provide deep testing of the entire IoT ecosystem. That would encompass the cloud infrastructure used by the product, any mobile or Web apps as well as third-party products that integrate with it, for instance, notes Cesar Cerrudo, CTO of IOActive Labs and an IoT security researcher.

“The deeper the testing the certification goes, the best it would be,” he says. “If you test the IoT device [only], maybe it’s secure, but then when used in real life, [it’s] completely broken by the complex relations with the ecosystem.”

Ted Harrington, executive partner of Independent Security Evaluators, says certification programs for IoT have their pros and cons for sure. “On the one hand, a program like this will undoubtedly have a positive impact on the IoT industry ... Security is still not effectively built into many of these solutions,” he says. An IoT cert program could help an IoT vendor get started in security, he says.

But the tradeoff of such a program is that just because a product earns a certification doesn’t guarantee it’s truly secure, Harrington says. “Where a certification program is very dangerous, is for organizations that would perceive the program as a complete blessing for the security of a product,” he says. “Certification programs must be adaptable in order to work for a wide range of organizations, yet all organizations have unique needs, use cases, and threat models.”

So even an IoT product that earns a certification is likely to still have security gaps, he says. “Target was PCI-compliant, yet Target suffered a security breach. That’s a great case study that compliance doesn’t mean your system is completely resilient. That’s the risk of certification programs.”

Another issue is vendors potentially misusing certifications for marketing purposes. “Some certs end up just being something that companies pay for ... to have a seal to show to customers, but it doesn’t add much real value in terms of security,” IOActive’s Cerrudo says.

ICSA Labs charges a flat fee for an annual contract for its certification testing program. The fee can run from “a few thousand” to more than $100,000, Japak says. Its testbed to date has evaluated everything from DVRs and video cameras to home security devices.

An ICSA Labs certification means that the product underwent a testing program and any vulnerabilities or security weaknesses were fixed; like UL’s, testing occurs on an ongoing basis to catch any new flaws.

Related Content:

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8720
PUBLISHED: 2020-08-13
Buffer overflow in a subsystem for some Intel(R) Server Boards, Server Systems and Compute Modules before version 1.59 may allow a privileged user to potentially enable denial of service via local access.
CVE-2020-12300
PUBLISHED: 2020-08-13
Uninitialized pointer in BIOS firmware for Intel(R) Server Board Families S2600CW, S2600KP, S2600TP, and S2600WT may allow a privileged user to potentially enable escalation of privilege via local access.
CVE-2020-12301
PUBLISHED: 2020-08-13
Improper initialization in BIOS firmware for Intel(R) Server Board Families S2600ST, S2600BP and S2600WF may allow a privileged user to potentially enable escalation of privilege via local access.
CVE-2020-7307
PUBLISHED: 2020-08-13
Unprotected Storage of Credentials vulnerability in McAfee Data Loss Prevention (DLP) for Mac prior to 11.5.2 allows local users to gain access to the RiskDB username and password via unprotected log files containing plain text credentials.
CVE-2020-8679
PUBLISHED: 2020-08-13
Out-of-bounds write in Kernel Mode Driver for some Intel(R) Graphics Drivers before version 26.20.100.7755 may allow an authenticated user to potentially enable denial of service via local access.