Known as IoT Device Security Specification 1.0, the new standard was produced by the CSA’s product security working group. Alongside the new specification there will be an accompanying certification program, and Product Security verified mark.
According to CSA, the initiative aims to establish a unified IoT cybersecurity standard and certification program, providing manufacturers a one-stop solution to certify their devices, and enabling them to comply more easily with international regulations and standards.
“The unveiling of the IoT Device Security Specification 1.0, alongside its certification program and the Product Security Verified Mark, signals an important milestone in bolstering IoT security and building confidence with consumers,” said Tobin Richardson, CSA president and CEO. ”By bringing together diverse international regulations into a cohesive specification, the Product Security Certification Program streamlines the process, reduces redundancy, and provides manufacturers with a singular, respected avenue for certifying their devices globally.”
The growing adoption of consumer IoT devices, has brought with it heightened cybersecurity concerns due to a rise in incidents involving breaches and malicious device hijackings.
In developing the standard, CSA’s product security working group consolidated requirements from the three most popular IoT cybersecurity baselines from the US, Singapore, and Europe into a single specification and certification program.
“This initiative aims to establish a robust baseline for all consumer IoT devices,” said Steve Hanna of Infineon Technologies AG and chair of the product security working group steering committee.
The new IoT Device Security Specification includes dozens of specific device security provisions with manufacturers required to demonstrate compliance with those provisions, supplying justifications and evidence to an authorized test laboratory. Some of the specific requirements include: unique identity for each IoT Device; no hard-coded default passwords; secure storage of sensitive data on the device and secure communications of security-relevant information.
Nearly 200 member companies — including Amazon, Google and Infineon Technologies — collaborated on the creation of the specification, which covers a broad range of smart home devices including light bulbs, switches, thermostats, and doorbell cameras.