As smart home devices become ubiquitous, questions around their security and exposure to risk are manifold. In light of this, the Connectivity Standards Alliance (CSA) has launched a new single security certification for consumer IoT devices. CSA is an industry association that focuses on ensuring that the IoT (Internet of Things) becomes more secure and accessible, and aims to remove cybersecurity fragmentation through a harmonized, common security platform.
Announced in March 2024, the CSA’s IoT Device Security Specification 1.0 is accompanied by a certification program and product security verified mark. This certification promotes a unified cybersecurity standard which enables consumer IoT device manufacturers to certify products while aligning with multinational standards, smoothing the regulatory process.
Consumer concerns
Product security couldn’t be more pertinent today. In fact, research shows that consumers are strongly concerned, with 84% saying security is an important element in their purchasing choices. This was a key factor in the CSA’s decision to take a unified, global approach by reviewing and combining international requirements in a single common baseline.
With more sophisticated attacks against IoT systems growing in intensity, governments are also responding with standards and regulations, such as NIST 8259 in the US, the EU’s Cyber Resiliency Act and the UK Product Security and Telecommunications Infrastructure Act 2022. As a result, a global approach to product security is deemed necessary by many. With the CSA IoT Device Security Specification 1.0, consumer IoT device manufacturers are advised they can certify once and comply everywhere.
Boosting confidence
According to Steve Hanna, chair of the CSA Product Security Working Group and a distinguished engineer at semiconductor supplier Infineon Technologies, this process creates compelling advantages for manufacturers and consumers. “Consumer confidence is everything, the job is never done when it comes to cybersecurity,” Hanna comments. “Certifying IoT smart home devices that consumers know meet baseline requirements is a big step forward. Product security, boosted demand and increased recognition in good security are key. The message to manufacturers is to certify once, qualify in many countries.”
But while most manufacturers have experience with regulatory requirements in electrical safety, cybersecurity is a relatively new area to address. Cyber safety regulations are not yet fully implemented but are planned for the coming years, including the European Radio Equipment Directive (RED) which will be introduced from 2025.
Aligning with the demands of this Act is a priority for manufacturers, says Jorge Wallace Ruiz, cybersecurity technical leader at DEKRA. Ruiz reveals that the next iteration of the CSA Specification will address these concerns: “The CSA are trying to leverage the current plan to include some of the aspects from the RED Delegated Act and try to have one certificate, as vendors tell us this is of primary importance to them.”
Achieving the standard
Potentially, the most substantial change with the CSA IoT Secure Device Specification 1.0 is the fact that manufacturers need to formulate how they implement security control. They answer a detailed questionnaire that delivers a comprehensive security evaluation of their product or solution.
Rudolph Schiessl, the global coordinator for wireless and connected products at testing service provider TÜV Rheinland, says this specification is a set of requirements to be fulfilled by manufacturers so they can gain certification and prepare for what is coming next. “As the specification is based on international standards like ETSI EN 303 645, it is an excellent way for manufacturers to prepare and familiarize themselves with upcoming requirements,” Schiessl says. “This proactive approach helps ensure products are secure and compliant with future regulations.” ETSI EN 303 645 is a global standard for consumer IoT devices, which outlines the security processes that manufacturers should incorporate into their products’ design and development to enhance their resilience against cyberthreats.
The evidence that manufacturers need to provide to support their product questionnaire could encompass process descriptions, technical documentation and other supporting materials that demonstrate compliance. For example, process descriptions might detail the company’s development and implementation processes for security features, including the secure software development lifecycle (SDLC) and procedures for managing security updates. Technical documentation could include architectural evidence which outlines how security is integrated into the product, specifications for encryption methods, and authentication mechanisms.
In terms of security, the requirements covered in the specification confirm whether devices have a unique, tamper-resistant identity that can be securely authenticated.
If a manufacturer can provide evidence that the product’s encryption and secure protocols for data transmission protect against eavesdropping and tampering for safe communication, the ATL (authorized testing lab) should be able to approve the device for certification. Overall, Steve Hanna believes the specification integrates a collection of common-sense best practices, rather than isolated single requirements. “While there is no absolute security, this specification markedly elevates the level of protection,” Hanna comments.
One company that provides end-to-end IoT security solutions and full-lifecycle services to IoT semiconductor and device manufacturers is Kudelski IoT. It now uses the specification framework to guide manufacturers as they prioritize their security feature roadmap to enhance a security-bydesign approach.
According to Kudelski IoT, this testing and certification process involves several stages.
Firstly an initial assessment takes place, with a thorough review of the device’s design and architecture to identify potential security risks. This is followed by conformance testing, where the device is evaluated by an ATL against the CSA Security Specification’s requirements to confirm compliance. In addition, a documentation review verifies whether or not the manufacturer’s documentation is complete and accurate. Finally, certification can occur if the device passes all the necessary tests for compliance with the CSA IoT specification.
Brecht Wyseur, Kudelski IoT’s senior manager for cybersecurity standardization and regulatory affairs, says: “The 1.0 version of this new specification is a primary baseline that consists of self-assessment using a questionnaire. The manufacturer answers questions that relate to each of the security requirements, explaining how they have succeeded to satisfy the requirement.” Experts from the selected ATL then review the questionnaire and supporting evidence.
This review may create space for a dialogue between the manufacturer and the ATL to ensure explanations are clear and declarations can be validated.
Throughout this process, the ATL should work closely with the manufacturer to address any gaps or ambiguities.
Confirming this, Rudolph Schiessl at TÜV Rheinland says: “This iterative approach ensures the product meets the specified security standards, providing a high level of confidence in the certification. The end result is a rigorous validation that the product’s security measures are robust and compliant with the relevant specifications.”
Benefits for suppliers
There are numerous advantages for IoT smart home device manufacturers in undertaking the CSA IoT Specification 1.0 certification. Firstly, companies can protect themselves from liabilities to their brand and reputation, which increases consumer confidence and may strengthen their product differentiation from competitors. Secondly, as there is no current regulatory pressure to implement and certify cybersecurity requirements, manufacturers can maximize being an early adopter. This is more potent if they can demonstrate to their customers that they value cybersecurity, building a more powerful brand image.
Exploring this in more detail, Kudelski IoT’s Brecht Wyseur says: “Manufacturers can create global market access as certification provides a path for devices to be recognized and accepted in multiple regions, simplifying market entry. This also supports regulatory compliance as manufacturers meet regulatory requirements and avoid potential legal issues.”
Alongside the product security verification program, the CSA Product Security Verified Mark is a visual confirmation that a product has met its security standards for this specification. To gain the mark, manufacturers need to prove that their product aligns with the specification’s specific IoT security provisions. These provisions cover a wide range of security requirements, including the need for the secure storage of sensitive data, process isolation and a secure development process with vulnerability management for the device in question.
Next chapter
According to Ruiz, the CSA IoT Device Security Specification version 1.1 is due to be published in Q1 of 2025 and will essentially have two different expectations. The first will be to cover the latest updates of the US Cyber Trust Mark. “If you are able to certify your product, you will be in compliance with the US Cyber Trust Mark,” says Ruiz, adding: “The second expectation will be to create different security levels. A primary level will be the existing self attestation questionnaire, with the second level involving testing procedures performed by the authorized testing lab. If vendors say there is a security update, we need to check this in the lab with the product.”
A third level aims to include some vulnerability procedures and penetration testing. And with CSA working groups collaborating together across regions and borders, there is a significant belief that the certification will be able to reduce fragmentation when it comes to IoT device regulation and streamline the processes for manufacturers and consumers.
This article first appeared in the September/October 2024 issue of Consumer Electronics Test & Development magazine. To read the full issue, click here.