Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
5/25/2016
01:10 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

New Internet Of Things Security-Certification Program Launched

ICSA Labs now offers a security testing program for IoT products, following the recently announced 'CyberUL' security certification program.

Network-connected devices in the industrial and consumer world—aka The Internet of Things (IoT)—now have a second program for testing and certifying their security: ICSA Labs today rolled out its own program for IoT vendors and customers.

ICSA Labs’ new IoT Certification Testing program comes on the heels of that of Underwriters Laboratories, which in April announced its much-anticipated Cybersecurity Assurance Program (UL CAP) that uses a newly created set of standards for IoT and critical infrastructure vendors to use for assessing security vulnerably and weaknesses in their products. ICSA Labs, an independent division of Verizon, says its new program will test six components of IoT devices: alert/logging; cryptography; authentication; communications; physical security; and platform security. 

UL’s program in its first phase tests for known vulnerabilities as well as authentication, access, encryption, and software updates, and plans to issue its first cybersecurity certifications in the third quarter. It tests connected cars, SIM cards and embedded SIMs, mobile devices and chipsets, smart home devices, wearables, and wireless devices.

George Japak, managing director for ICSA Labs, says his organization has been conducting third-party cybersecurity testing for 25 years, while UL’s new program represents a move from its traditional safety heritage to cybersecurity as well. "UL has been around for a very long time and they are well-respected, especially in the safety area. What they’re announcing is new for them ... In our case ... This is our 25th year of having [security] certification and testing programs around different technologies, which started with antivirus,” Japak says.

IoT and industrial products’ security woes are well-known and well-documented, with reams of research on connected car flaws, home automation devices, and plant-floor systems. Concerns over public safety in many of the consumer and industrial devices has raised alarm bells over better securing these devices, many of which are built without security in mind at all. Verizon estimates 25.6 billion IoT devices will be in the world by 2018, up from 9.7 billion in 2014. By 2020, look for 30 billion connected devices to be in the market.

“[IoT] vendors have been slow to adopt security, so they need a little nudge,” ICSA Labs’ Japak says.

Japak notes that IoT products can be anything from a medical device to a video camera. “A device is a device is a device,” connected to the network, he says. “It’s got some sort of embedded or other operating system ... there are no lack of interfaces on these devices. What’s lacking is any desire to secure them. We have a Dead Sea scroll with all of the problems in mobile apps that we test,” for example, he notes. And sensors—the heart and soul of many of these devices—are notoriously all about functionality, not security, according to Japak.

Remember the Ecosystem

IoT security experts say the only way security certification programs will truly improve IoT security, however, is if they provide deep testing of the entire IoT ecosystem. That would encompass the cloud infrastructure used by the product, any mobile or Web apps as well as third-party products that integrate with it, for instance, notes Cesar Cerrudo, CTO of IOActive Labs and an IoT security researcher.

“The deeper the testing the certification goes, the best it would be,” he says. “If you test the IoT device [only], maybe it’s secure, but then when used in real life, [it’s] completely broken by the complex relations with the ecosystem.”

Ted Harrington, executive partner of Independent Security Evaluators, says certification programs for IoT have their pros and cons for sure. “On the one hand, a program like this will undoubtedly have a positive impact on the IoT industry ... Security is still not effectively built into many of these solutions,” he says. An IoT cert program could help an IoT vendor get started in security, he says.

But the tradeoff of such a program is that just because a product earns a certification doesn’t guarantee it’s truly secure, Harrington says. “Where a certification program is very dangerous, is for organizations that would perceive the program as a complete blessing for the security of a product,” he says. “Certification programs must be adaptable in order to work for a wide range of organizations, yet all organizations have unique needs, use cases, and threat models.”

So even an IoT product that earns a certification is likely to still have security gaps, he says. “Target was PCI-compliant, yet Target suffered a security breach. That’s a great case study that compliance doesn’t mean your system is completely resilient. That’s the risk of certification programs.”

Another issue is vendors potentially misusing certifications for marketing purposes. “Some certs end up just being something that companies pay for ... to have a seal to show to customers, but it doesn’t add much real value in terms of security,” IOActive’s Cerrudo says.

ICSA Labs charges a flat fee for an annual contract for its certification testing program. The fee can run from “a few thousand” to more than $100,000, Japak says. Its testbed to date has evaluated everything from DVRs and video cameras to home security devices.

An ICSA Labs certification means that the product underwent a testing program and any vulnerabilities or security weaknesses were fixed; like UL’s, testing occurs on an ongoing basis to catch any new flaws.

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
Fed Kaspersky Ban Made Permanent by New Rules
Dark Reading Staff 9/11/2019
NetCAT Vulnerability Is Out of the Bag
Dark Reading Staff 9/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16395
PUBLISHED: 2019-09-17
GnuCOBOL 2.2 has a stack-based buffer overflow in the cb_name() function in cobc/tree.c via crafted COBOL source code.
CVE-2019-16396
PUBLISHED: 2019-09-17
GnuCOBOL 2.2 has a use-after-free in the end_scope_of_program_name() function in cobc/parser.y via crafted COBOL source code.
CVE-2019-16199
PUBLISHED: 2019-09-17
eQ-3 Homematic CCU2 before 2.47.18 and CCU3 before 3.47.18 allow Remote Code Execution by unauthenticated attackers with access to the web interface via an HTTP POST request to certain URLs related to the ReGa core process.
CVE-2019-16391
PUBLISHED: 2019-09-17
SPIP before 3.1.11 and 3.2 before 3.2.5 allows authenticated visitors to modify any published content and execute other modifications in the database. This is related to ecrire/inc/meta.php and ecrire/inc/securiser_action.php.
CVE-2019-16392
PUBLISHED: 2019-09-17
SPIP before 3.1.11 and 3.2 before 3.2.5 allows prive/formulaires/login.php XSS via error messages.