Secure Connected Device accreditation

Cyber and Information Security experts IASME are collaborating with Secured by Design, the official police security initiative, on their new Secure Connected Device accreditation

Smart but not necessarily secure
Besides computers, tablets and mobile phones, many other objects connect to the internet. Bike locks, storage cupboards, security cameras and lights are examples of ‘connected’ or ‘smart’ devices, which are collectively known as the ‘Internet of Things’ (IoT). They enable the user to control their functions remotely, usually using a mobile phone app.

If a smart device can be accessed by the user online, there is also the possibility that other people may be able to access it, which raises both security and privacy concerns. Insecure devices can provide an access point for criminals on the internet to steal personal data, access microphones or cameras or hijack a device for ulterior motives. It is therefore important to ensure that all IoT products have the right security in place to protect consumers from becoming victims of cyber crime.

Police Crime Prevention Initiatives
Secured by Design is the most well-known of the Police Crime Prevention Initiatives (Police CPI) portfolio. Secured by Design (SBD) operates an accreditation scheme on behalf of the UK Police Service to show that products or services have met recognised security standards. These products or services – which must be capable of deterring or preventing crime – are described as having achieved ‘Police Preferred Specification’.

There are currently many hundreds of companies who produce thousands of individual attack resistant crime prevention products that have met the exacting Police Preferred Specification. This includes doors, windows, external storage, bicycle and motorcycle security, locks and hardware, asset marking, alarms, CCTV, safes, perimeter security products and many others. SBD is the only way for companies to obtain police recognition for security-related products in the UK.

This year, SBD launched a Secure Connected Device accreditation for companies providing internet connected products. Working closely with certifying bodies, who assess IoT products and services against the worldwide standard, ETSI EN 303 645, SBD’s IoT Device assessment framework identifies the level of risk associated with an IoT device and its ecosystem. They are then able to provide recommendations on the appropriate certification routes.

Cyber security for IoT
IASME helps businesses improve their cyber security, counter fraud and risk management through an effective and accessible range of certifications. The IASME  IoT Cyber Assurance certification scheme gives manufacturers and people responsible for purchasing connected products a way to show due diligence in the selection of secure products.

IASME have been working in partnership with SBD to contribute to the Secure Connected Device accreditation. IASME’s IoT Cyber Assurance level 2 scheme certifies internet connected devices against the most important cyber security controls and makes up an essential part of the framework for the accreditation.

The IASME IoT Cyber Assurance scheme aligns with all 13 provisions of the worldwide standard in IoT cyber security, ETSI EN 303 645 and with the imminent UK IoT security legislation and guidance. It is also mapped to the IoTSF Security Compliance Framework.

The Level 2 scheme includes a hands-on audit of the device and provides the assurance of third-party testing and independent certification. The audit is managed by an Assessor, skilled in IoT cyber security, from one of IASME’s network of Certification Bodies. The scope of the certification includes the IoT device and any associated hub, app and cloud service the device relies upon to operate, the scheme is accessible to micro and small manufacturers, as well as to larger organisations.

Raising the bar in the industry
While certifying connected devices through the IoT Cyber Assurance scheme, IASME has worked with numerous manufacturers, many of whom are innovators in their field. They often express a desire to work together to raise the bar in the industry and hope that increased security will raise confidence in the market that it is safe to work with wireless systems. They say they found it useful to share the feedback given to them from the scheme Assessors with their customers as it helped demonstrate what they were doing. Many commenting that external certification served to reassure clients that they had a secure system that has been audited by a third party.

Once a product has been certified to IASME IoT Cyber Assurance level 2 and has met the physical security requirements of SBD, the company can apply to become SBD members. The product will receive the SBD Secure Connected Device accreditation, a unique and recognisable accreditation that will highlight products as having achieved the relevant IoT standards and certifications.

SBD’s IoT Technical Officer, Michelle Kradolfer emphasised the importance of proving the security of IoT devices, “with the rise in IoT and smart devices being sold in the UK market, it’s important for companies to ensure that their IoT products are built as securely as possible and an integral part of doing so is getting their IoT products appropriately assessed and accredited”.

She goes on to say, “By obtaining our Secure Connected Device accreditation and undergoing a testing and certification process, companies are sending a clear message on the importance of IoT security for their products, which will make them stand out from the crowd and inspire confidence from their consumers.”

Dr Emma Philpott MBE, CEO of IASME, welcomes the partnership with SBD and the integration of the scheme as part of widespread and comprehensive accreditation. She says “IASME has developed the IoT Cyber Assurance scheme to provide an opportunity for manufacturers to improve the security of their internet-connected devices and to show they are compliant with best-practice security. The technical controls required for certification guard against the exploitation of common IoT cyber security vulnerabilities. Certification is a vital tool in enabling organisations to verify the security of connected devices in their own supply chain.”