The Connectivity Standards Alliance (“Alliance”) Product Security Working Group is announcing the release of their IoT (Internet of Things) Device Security Specification 1.0, with the accompanying certification program, and Product Security Verified Mark. This groundbreaking initiative aims to establish a unified IoT cybersecurity standard and certification program, providing manufacturers with a one-stop solution to certify their devices, enabling them to comply with multiple international regulations and standards more easily.
“The unveiling of the IoT Device Security Specification 1.0, alongside its certification program and the Product Security Verified Mark, signals an important milestone in bolstering IoT security and building confidence with consumers,” said Tobin Richardson, Alliance President & CEO of the Connectivity Standards Alliance. “By bringing together diverse international regulations into a cohesive specification, the Product Security Certification Program streamlines the process, reduces redundancy, and provides manufacturers with a singular, respected avenue for certifying their devices globally.”
With the increasing adoption of consumer IoT devices, there is a heightened emphasis on security due to a rise in incidents involving breaches and malicious device hijackings. The Product Security Working Group aims to meet this challenge by consolidating requirements from the three most popular IoT Cybersecurity baselines from the United States, Singapore, and Europe into a single specification and certification program. This unifying effort helps manufacturers more easily and efficiently address these regulatory regimes’ requirements aiming to instill confidence in consumers and regulators.
“As consumers embrace the convenience and value of IoT devices, the Alliance is dedicated to helping to create more comprehensive protection for consumers. This initiative aims to establish a robust baseline for all consumer IoT devices,” said Steve Hanna of Infineon Technologies AG and Chair of the Product Security Working Group Steering Committee. “The Alliance’s Product Security Verified Mark and IoT Device Security Specification 1.0 will make it easier for manufacturers to address consumer IoT security requirements around the world.”
IoT Device Security Specification 1.0 Requirements
The Product Security’s IoT Device Security Specification includes dozens of specific device security provisions. IoT Device Manufacturers must demonstrate compliance with those provisions, supplying justifications and evidence to an Authorized Test Laboratory with expertise in security evaluation and experience certifying products relative to this specification.
Highlights of the specific requirements include:
· Unique identity for each IoT Device
· No hardcoded default passwords
· Secure storage of sensitive data on the Device
· Secure communications of security-relevant information
· Secure software updates throughout the support period
· Secure development process, including vulnerability management
· Public documentation regarding security, including the support period
Nearly 200 member companies — including Amazon, Arm, Comcast, Google, Infineon Technologies AG, NXP Semiconductors, Schneider Electric, Signify (Philips Hue and WiZ), and Silicon Labs — have collaborated, pooling related technologies, expertise, and innovations enabling the IoT Device Security Specification 1.0, the accompanying certification program, and Product Security Verified Mark to meet the diverse needs of stakeholders, including consumers, device manufacturers, and regulators. Together, these companies spearheaded the process by driving requirements and specification development and ultimately helping validate the final specification.
Encompassing a broad spectrum of smart home devices such as light bulbs, switches, thermostats, doorbell cameras, and more, the Product Security Certification Program establishes minimum requirements for IoT devices. By consolidating several international regulations into a single set of requirements, the Certification Program streamlines the process, helping manufacturers meet certification criteria from multiple countries or regions with a single evaluation.
The Product Security Verified Mark is confirmation a product meets the specification’s security requirements, with the goal of inspiring consumer confidence. When displayed prominently on certified product packaging, store signage, and online platforms, this Verified Mark builds trust by serving as a marker for secure IoT devices. A printed URL, hyperlink, QR code, or a combination of these representations on the Product Security Verified Mark gives consumers access to more information about the device’s security features.
Looking Ahead
As technology advances and new threats emerge, the Product Security Working Group remains committed to continuously enhancing the IoT Security Device Specification and the accompanying certification program.
About the Connectivity Standards Alliance
The Connectivity Standards Alliance is the foundation and future of the Internet of Things (IoT). Established in 2002, its wide-ranging global membership collaborates to create and evolve universal open standards for the products transforming the way we live, work, and play. With its Members’ deep and diverse expertise, robust certification programs, and a full suite of open IoT solutions the Alliance is leading the movement toward a more intuitive, imaginative, and useful world.
The Connectivity Standards Alliance Board of Directors is comprised of executives from Allegion, Amazon, Apple, ASSA ABLOY, Comcast, Espressif, Eve by ABB, Fortune Brands, Google, Haier, Huawei, IKEA, Infineon Technologies AG, The Kroger Co., LEEDARSON, Legrand, LG Electronics, Lutron Electronics, Midea, Nordic Semiconductor, NXP Semiconductors, OPPO, Resideo Technologies, Samsung Electronics, Schneider Electric, Siemens, Signify (Philips Hue and WiZ), Silicon Labs, Somfy, STMicroelectronics, Tuya, Verizon, and Wulian.
For More Information: www.csa-iot.org