The Connectivity Standards Alliance (CSA) has launched the internet of things (IoT) device security specification 1.0, a bid to establish a unified cybersecurity standard and certification program for smart devices.
Called the IoT Device Security Specification 1.0, the goal is to provide manufacturers with a way to certify devices that comply with multiple international regulations and standards more easily.
The specification includes dozens of security provisions for IoT devices. Manufacturers must demonstrate compliance with these provisions, supplying justifications and evidence in security evaluation and experience when certifying IoT products.
The specification allows for:
- Unique identity for each IoT device
- No hardcoded default passwords
- Secure storage of sensitive data on a device
- Secure communications of security-relevant information
- Secure software updates throughout the support period
- Secure development process, including vulnerability management
- Public documentation regarding security, including the support period
Why it is needed
As more consumer IoT devices are adopted, more incidents involving breaches and malicious device hijackings arise. To combat this, the CSA is working to consolidate the requirements from the three most popular IoT cybersecurity baselines from the U.S., Singapore and Europe. These will be added into a single specification and certification program.
The CSA said the effort will allow companies to address regulatory regimes’ requirements as well as give consumers and regulators confidence in the security of these IoT devices.
Nearly 200 member companies including Amazon, Arm, Comcast, Google, Infineon, NXP Semiconductors, Schneider Electric, Signify and Silicon Labs have pooled their related technologies and innovations into the specification and accompanying certification program.