Home > News & Analysis > Series 15 – Episode 1 – Understanding the IoT Device Security Specification 1.0

Podcasts

Series 15 – Episode 1 – Understanding the IoT Device Security Specification 1.0

21st June 2024

The Connectivity Standards Alliance (CSA) (formerly Zigbee Alliance)

Paige West

3 0

Paige West speaks with Steve Hanna of Infineon Technologies and Chair of the Product Security Working Group Steering Committee about the new IoT Device Security Specification.

With over 25 years of experience in the field, Steve provided valuable insights into the importance of security in the Internet of Things (IoT) and introduced the new IoT device security specification developed by the Connectivity Standards Alliance (CSA).

The Product Security Working Group, a part of the CSA, comprises over 200 member companies globally. The CSA is known for creating industry standards such as ZigBee and Matter, and it realised the necessity for a security certification for consumer IoT products a few years ago.

Steve explained: “The aim is to create a global certification that consumers and others can look to, to recognise which products are adequately cyber secure.”

The IoT Device Security Specification outlines several critical requirements for smart home devices to be considered adequately cybersecure:

Unique identity: each device must have a unique identity to prevent counterfeiting and ensure consumer trust
No default passwords: devices should not have default passwords to avoid easy access by malicious actors
Secure storage and communication: sensitive data must be securely stored and transmitted to protect against interception
Secure software updates: there must be a robust mechanism for updating software to address vulnerabilities as they are discovered.
Secure development process: manufacturers should follow secure development processes and provide clear documentation regarding the security and support of the product

The primary objective of the new specification is to establish a solid baseline for IoT cybersecurity, helping consumers identify secure products and encouraging the adoption of smart home technology. This benefits not only consumers but also manufacturers who adhere to high security standards by providing them with recognition and a competitive edge.

Steve stated: “What we're trying to do here is to establish a solid baseline for cybersecurity for the Internet of Things. And then by doing so, consumers can look to our mark to know which products available on the shelves meet that baseline.”

As IoT devices have become more prevalent, they have attracted the attention of attackers. Botnets, networks of infected devices, can be used to carry out distributed denial of service (DDoS) attacks. Governments worldwide have responded to these threats with regulations, making it essential to have a unified certification programme to avoid inefficiencies and high costs associated with multiple certifications.

The CSA has a well-established process for certifying IoT products, utilising a network of accepted test labs globally. Manufacturers submit documentation to these labs, which then verify compliance. This certification is not indefinite; products must be continuously updated and supported, with certifications being revoked if support is no longer possible.

Steve emphasised the dynamic nature of cybersecurity, noting that new threats and technological advancements, such as quantum computing, necessitate ongoing updates to the security specification. Post-quantum cryptographic algorithms are already being developed to address future challenges.

Steve added: “One of the things we've been watching out for is the introduction of quantum computing. When this becomes practical and widely available, many of the cryptographic algorithms we use today will no longer be secure.”

A secure development lifecycle process is crucial for managing security risks. This involves integrating security considerations from the design stage, conducting threat analyses, and establishing mechanisms for reporting and addressing vulnerabilities.

Steve emphasised: “You need to consider security, from the very start, you can't come in at the very end and just slap some security on because you will have built in vulnerabilities from the start.”

The certification process typically takes a couple of months, depending on the readiness of the application. A thorough preparation and adherence to security provisions can shorten this timeline, while neglecting security from the start can lead to a lengthy certification process. Steve noted: “If your application is complete, and you submit it to the accepting test lab, they can simply verify that application and you could be certified in an even shorter period of time.”

The CSA is working with various governments to ensure that its certification programme is recognised globally. This ‘certify once, qualify everywhere’ approach makes it easier and more cost-effective for manufacturers, while providing consumers with confidence in the security of their IoT devices.

Overall, Steve Hanna highlights the critical importance of robust IoT security standards and the ongoing efforts to enhance these measures. The new IoT device security specification and certification programme represent significant steps towards ensuring the security and trustworthiness of IoT products worldwide.

To hear more about IoT device security and much more, you can listen to Electronic Specifier’s interview with Steve Hanna on Spotify or Apple podcasts.