The UK’s IoT Security Foundation has formed a partnership with the IAMSE Consortium to develop a vendor self-assessment scheme for the security of consumer IoT products for the UK market.
It says the scheme will provide a baseline which is both low cost and simple to implement for manufacturers.
IASME has worked with the IoT Security Foundation to define a set of 30 checks that can be verified by a national network of certifying bodies. Once the applicant satisfies those checks, a certificate is issued and the company can use the basic tick mark on marketing materials.
The UK Government released in October 2018 a voluntary code for the security of consumer IoT devices is now considering introducing legislation.
The managing director of the IoT Security Foundation John Moor, said the scheme aimed to be simple, low cost and address the majority of common vulnerabilities we still see today.
Benefits for consumers & businesses
IASME Consortium CEO Emma Philpott said the aim had been to create a scheme that would provide assurances for consumers and be attractive for businesses.
“We have worked with the IoT Security Foundation to create a scheme which does that, taking into account the immediate needs and anticipate regulatory changes that are likely to transpire in due course.”
She added: “This is just the beginning of our work with IoT. We further hope to evolve the scheme as the threat landscape changes and create additional schemes with more stringent controls which are required beyond the consumer market.”
The IASME Consortium says a recent report from the Internet Society— based on a global consumer survey — had identified many concerns but also ‘the trust opportunity’.
“The opportunity exists for manufacturers to differentiate themselves by offering proof of trustworthy behaviour and demonstrating steps have been taken to design security into their processes and products. IASME’s IoT Cybersecurity Basic conformance scheme provides that proof,” it said.
Self-assessment
Details of the security assessment scheme are available on the IoTSF website. It is aimed at manufacturers of any device which connects to the internet. It asks a set of questions about the basic controls such a device would be expected to have in place for the minimum acceptable level of security.
No evidence is required for the assessment, but a board member or equivalent must sign a declaration to confirm that all the answers are true.
Following the introduction of this basic level IoT Security assessment, IASME says it will shortly launch silver and gold levels, which will demonstrate much higher levels of cyber security.
