CTIA, the wireless industry association, just revealed a new
The Internet of Things security certification for wirelessly connected devices will tell consumers and companies buying these certified devices that cybersecurity is baked in throughout the product's development.
It is a significant switch from the way most IoT devices have been developed: Be the first to market, regardless of the cyber risks created.
For years, we've heard from executives at our cybersecurity conferences that IoT manufacturers need to include cybersecurity from the start. Device manufacturers wanting this new CTIA certification will have to do exactly that.
16 cybersecurity requirements of CTIA IoT device certification
- Password Management: Device supports local password management
- Authentication: Device supports user authentication
- Access Controls: Device enforces role-based access control
- Patch Management: Device supports
automatic and manual installation of patches from an authorized source - Software Upgrades: Device supports manual installation software upgrades from an authorized source
- Audit Log: Device supports the gathering of audit log events and reporting them to an EMS using IPsec, SSH, TLS, or DTLS for encryption and integrity protection
- Encryption of Data in Transit: Device supports encrypted communications using IPsec, SSH, TLS, or DTLS
- Multi-Factor Authentication: Device supports multiple authentication factors
- Remote Deactivation: Device can be remotely deactivated by the EMS
- Secure Boot: Device supports a secure boot process to protect its hardware
- Threat Monitoring: Device supports logging of anomalous or malicious activity based on configured
policies and rules - IoT Device Identity: Device provides an IoT Device Type and a globally unique IoT Device Identity
- Encryption of Data at Rest: Device supports an effective mechanism for encrypting data stored on the device
- Digital Signature Generation and Validation: Device supports generation and validation of digital signatures
- Tamper Evidence: Device has the ability to alert a monitoring system when it is physically opened
- Design-In Features: Device includes features to fail secure, provide boundary security, and ensure function isolation
Wireless industry executives praise new IoT certification
Leading wireless operators, technology companies, security experts, and test labs collaborated to develop the program’s test requirements and plans.
The program also builds upon IoT security recommendations from the National Telecommunications and Information Administration (NTIA) and the National Institute of Standards and Technology (NIST).
With this much collaboration, perhaps it's no surprise that wireless industry executives are giving the new standards a thumbs up.
"Establishing a common and readily achievable security program that protects devices, consumers, and our networks is a critical initiative as the IoT market continues to grow exponentially, both in the U.S. and globally,” says Cameron Coursey, VP of Product Development, IoT Solutions, at AT&T.
And William Boni, Senior VP of Digital Security at T- Mobile, really hit on a key point: "To realize the exciting promise of IoT, security must be considered at every turn. By setting these standards, the wireless industry is proactively leading the charge to secure previously insecure devices, protecting our networks and customers against
Internet of Things device security certification starts fall 2018
The CTIA says its labs will be ready to accept devices into the certification program beginning in October 2018. Here are all the details on the program.
Speaking of October, IoT security is a hot topic at the SecureWorld Dallas conference on October 11-12, 2018.
iRobot's CISO, Ravi Thatavarthy, is speaking on IoT risks versus rewards. He tells me that we must continue to increase confidence in the Internet of Things to maximize its potential.
"My belief is that security combined with privacy will become a brand differentiator,” he says. And he's optimistic that will happen.
And the new CTIA certification program may inspire optimism in other information security leaders, as well.