The security evaluation labs that contributed to this article are all founding members of PSA Certified.
Before we invest in a new car, spend on home appliances or even book a holiday, we often turn to a trusted source for the latest information and advice. We do not always accept the claims a company makes about its products. So, if we are searching for Internet of Things (IoT) devices, how do we make sure they meet our expectations, and more specifically, ensure they are secure?
To help ease the increasing concern about the security of connected devices and their data, IoT product developers are turning to independent experts. That is, accredited security laboratories that can assess the security features built into a product, and check they align with industry best practice, as well as new and emerging laws, regulations and baseline requirements.
This third-party evaluation and certification process removes any doubt about the statements being made by firms, as Laurens Van Oijen, Project Specialist at UL, explains: “The value of third-party certification lies in the integrity of the outcome of an evaluation. A third-party lab takes an independent, and therefore, purely objective approach to validating whether a product conforms to and complies with the standard or specification it is being measured against.”
That is good news for businesses and consumers who are trying to navigate the complexities of IoT security. For anyone involved in the development of a device, an external perspective also adds significant value to the end result. That includes:
Access to World-leading Security Expertise
Third-party labs evaluate the security of a wide range of devices and they do that every day. That means IoT product developers benefit from that wealth of experience. According to Laurens, “By showing your customers you have drawn on the experience and expertise of a third-party evaluation lab, and that lab is, in return, willing to put their name and brand on your product, you are building business and consumer confidence and assuring people that your product meets the highest security standards. Additionally, working with a third party gives you access to global facilities, expertise and resources, even round the clock service if it’s needed.”
Protection from a Wide Range of Threats
A security evaluation lab also has a broad view of the potential threats to a device, and the common mistakes people make when they are implementing security, because of the knowledge and experience they have gained from working with a range of companies and products.
“From a security perspective, there is a fundamental difference between internal testing and having a third-party, expert lab evaluate a product,” says Bernie Rietkerken from embedded hardware security expert, Riscure. “While an internal team may have substantial knowledge, they’re informed by similar evaluations of similar products from the same manufacturer. Instead, a third-party’s expertise is founded in their exposure to a variety of different products across the numerous markets they operate within.”
A third-party’s lab’s responsibilities are not limited, however, to executing evaluations. According to Bernie Rietkerken, entities like Riscure must also position themselves as leaders in cybersecurity. “For our team, it’s of vital importance to always be at the forefront of all the latest attack methods and vulnerabilities. It’s in our DNA, and without this information, a lab quickly loses its competitiveness. By working with a 3rd party lab like ours, manufacturers automatically benefit from this most up-to-date security knowledge too.”
Differentiation in the Marketplace
In the past, security was seen as a cost, or as increasing time to market, and was therefore often addressed later in the development process or not at all, rather than being designed-in from the outset. However, poorly secured IoT devices have become easy targets for hackers and several, high-profile attacks have raised people’s awareness of the potential risks to their privacy and security.
If a third party assesses a device as having met basic security requirements, it helps businesses and consumers make informed purchasing decisions. Increasingly, it also positions product developers ahead of rivals who have chosen not to prioritize security and help build trust in the IoT.
Lower Risk
The costs of insecurity are significant, and IoT product developers have to balance the need to innovate with the potential threats to their operations, reputation, finances and – in the worst-case scenario – existence if there is a security breach.
If independent security experts challenge your approach to security and test your product’s features before they are deployed, this can offer peace of mind. According to independent security lab, SGS Brightsight, the evaluation process can also help insurers of IoT products translate information risk into financial risks. Carlos Serratos, the company’s Senior Director of Strategy, Policy and Advocacy explains further: “This is particularly important in modern service-oriented economies. Here, the third-party security certifications are tools that service providers could benefit from because they may help to reduce fees or increase coverage from insurers. ‘Trust me’ is not a claim that cyber insurance brokers will be likely to be able to translate into financial risk.”
Getting Started
PSA Certified, the industry-backed security framework and assurance scheme, includes a cost-effective and efficient independent evaluation process for system-on-chips, devices and operating systems. Our third-party evaluation labs are based in a number of locations across Europe, North America and Asia Pacific. Their approach to security begins at the silicon level, analyzing the Root of Trust, and builds up through an analysis of best practice security principles for the system software and endpoint device. This helps to ensure security is built into the hardware of the product and all security functions can take place on a trusted foundation.
There are three levels of evaluation for increasing robustness.
PSA Certified Level 1 is based on a security questionnaire that is used to confirm that basic security principles have been applied. A third-party lab evaluates the implementation to ensure the security principles have been met.
PSA Certified Level 2 involvesan independent, lab-based evaluation that is designed to ensure the chip’s PSA Root of Trust security component can protect against software attacks. This includes penetration testing.
PSA Certified Level 3 isa third-party lab-based evaluation that provides evidence of protection against substantial hardware and software attacks. Again, penetration testing will be performed at this stage.
Certification is the final step in the process and helps you to demonstrate to your customers that the product has been designed with security at its heart.
“If you have a report from an accredited laboratory, you can obtain security certification for your products, going beyond the claim ‘trust me, my product is secure’ and you are helping the market focus the conversation about security on specifics,” says Thomas Jorgensen, CCO of SGS Brightsight. Thomas goes on to say, “Developers can also use the security certificate as a differentiator or communication tool, and even to evidence the inclusion of premium security features.”
In summary, the benefits of engaging an independent security evaluation lab include:
- External support
- Objective advice
- Access to security experts who can help you reduce risk
- Validation of your approach to security
- Certification that showcases your commitment to building a secure device
In addition to third party evaluation and certification from trusted labs with an extensive footprint, PSA Certified provides:
- A holistic set of security development resources
- Wide industry support from silicon vendors, system software providers and endpoint device manufacturers
- A more cost-effective and time-efficient evaluation process
Learn more about the security labs mentioned above and our other founders.
Next Steps
Discover more about the benefits of IoT security certification and how you can start your journey to certification.