IoT
5/25/2016
01:10 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

New Internet Of Things Security-Certification Program Launched

ICSA Labs now offers a security testing program for IoT products, following the recently announced 'CyberUL' security certification program.

Network-connected devices in the industrial and consumer world—aka The Internet of Things (IoT)—now have a second program for testing and certifying their security: ICSA Labs today rolled out its own program for IoT vendors and customers.

ICSA Labs’ new IoT Certification Testing program comes on the heels of that of Underwriters Laboratories, which in April announced its much-anticipated Cybersecurity Assurance Program (UL CAP) that uses a newly created set of standards for IoT and critical infrastructure vendors to use for assessing security vulnerably and weaknesses in their products. ICSA Labs, an independent division of Verizon, says its new program will test six components of IoT devices: alert/logging; cryptography; authentication; communications; physical security; and platform security. 

UL’s program in its first phase tests for known vulnerabilities as well as authentication, access, encryption, and software updates, and plans to issue its first cybersecurity certifications in the third quarter. It tests connected cars, SIM cards and embedded SIMs, mobile devices and chipsets, smart home devices, wearables, and wireless devices.

George Japak, managing director for ICSA Labs, says his organization has been conducting third-party cybersecurity testing for 25 years, while UL’s new program represents a move from its traditional safety heritage to cybersecurity as well. "UL has been around for a very long time and they are well-respected, especially in the safety area. What they’re announcing is new for them ... In our case ... This is our 25th year of having [security] certification and testing programs around different technologies, which started with antivirus,” Japak says.

IoT and industrial products’ security woes are well-known and well-documented, with reams of research on connected car flaws, home automation devices, and plant-floor systems. Concerns over public safety in many of the consumer and industrial devices has raised alarm bells over better securing these devices, many of which are built without security in mind at all. Verizon estimates 25.6 billion IoT devices will be in the world by 2018, up from 9.7 billion in 2014. By 2020, look for 30 billion connected devices to be in the market.

“[IoT] vendors have been slow to adopt security, so they need a little nudge,” ICSA Labs’ Japak says.

Japak notes that IoT products can be anything from a medical device to a video camera. “A device is a device is a device,” connected to the network, he says. “It’s got some sort of embedded or other operating system ... there are no lack of interfaces on these devices. What’s lacking is any desire to secure them. We have a Dead Sea scroll with all of the problems in mobile apps that we test,” for example, he notes. And sensors—the heart and soul of many of these devices—are notoriously all about functionality, not security, according to Japak.

Remember the Ecosystem

IoT security experts say the only way security certification programs will truly improve IoT security, however, is if they provide deep testing of the entire IoT ecosystem. That would encompass the cloud infrastructure used by the product, any mobile or Web apps as well as third-party products that integrate with it, for instance, notes Cesar Cerrudo, CTO of IOActive Labs and an IoT security researcher.

“The deeper the testing the certification goes, the best it would be,” he says. “If you test the IoT device [only], maybe it’s secure, but then when used in real life, [it’s] completely broken by the complex relations with the ecosystem.”

Ted Harrington, executive partner of Independent Security Evaluators, says certification programs for IoT have their pros and cons for sure. “On the one hand, a program like this will undoubtedly have a positive impact on the IoT industry ... Security is still not effectively built into many of these solutions,” he says. An IoT cert program could help an IoT vendor get started in security, he says.

But the tradeoff of such a program is that just because a product earns a certification doesn’t guarantee it’s truly secure, Harrington says. “Where a certification program is very dangerous, is for organizations that would perceive the program as a complete blessing for the security of a product,” he says. “Certification programs must be adaptable in order to work for a wide range of organizations, yet all organizations have unique needs, use cases, and threat models.”

So even an IoT product that earns a certification is likely to still have security gaps, he says. “Target was PCI-compliant, yet Target suffered a security breach. That’s a great case study that compliance doesn’t mean your system is completely resilient. That’s the risk of certification programs.”

Another issue is vendors potentially misusing certifications for marketing purposes. “Some certs end up just being something that companies pay for ... to have a seal to show to customers, but it doesn’t add much real value in terms of security,” IOActive’s Cerrudo says.

ICSA Labs charges a flat fee for an annual contract for its certification testing program. The fee can run from “a few thousand” to more than $100,000, Japak says. Its testbed to date has evaluated everything from DVRs and video cameras to home security devices.

An ICSA Labs certification means that the product underwent a testing program and any vulnerabilities or security weaknesses were fixed; like UL’s, testing occurs on an ongoing basis to catch any new flaws.

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
'Hidden Tunnels' Help Hackers Launch Financial Services Attacks
Kelly Sheridan, Staff Editor, Dark Reading,  6/20/2018
Inside a SamSam Ransomware Attack
Ajit Sancheti, CEO and Co-Founder, Preempt,  6/20/2018
Tesla Employee Steals, Sabotages Company Data
Jai Vijayan, Freelance writer,  6/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-12697
PUBLISHED: 2018-06-23
A NULL pointer dereference (aka SEGV on unknown address 0x000000000000) was discovered in work_stuff_copy_to_from in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30. This can occur during execution of objdump.
CVE-2018-12698
PUBLISHED: 2018-06-23
demangle_template in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30, allows attackers to trigger excessive memory consumption (aka OOM) during the "Create an array for saving the template argument values" XNEWVEC call. This can occur during execution of objdump.
CVE-2018-12699
PUBLISHED: 2018-06-23
finish_stab in stabs.c in GNU Binutils 2.30 allows attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact, as demonstrated by an out-of-bounds write of 8 bytes. This can occur during execution of objdump.
CVE-2018-12700
PUBLISHED: 2018-06-23
A Stack Exhaustion issue was discovered in debug_write_type in debug.c in GNU Binutils 2.30 because of DEBUG_KIND_INDIRECT infinite recursion.
CVE-2018-11560
PUBLISHED: 2018-06-23
The webService binary on Insteon HD IP Camera White 2864-222 devices has a stack-based Buffer Overflow leading to Control-Flow Hijacking via a crafted usr key, as demonstrated by a long remoteIp parameter to cgi-bin/CGIProxy.fcgi on port 34100.