author photo
By SecureWorld News Team
Thu | Aug 23, 2018 | 1:53 PM PDT

CTIA, the wireless industry association, just revealed a new IoT device security protocol and certification program.

The Internet of Things security certification for wirelessly connected devices will tell consumers and companies buying these certified devices that cybersecurity is baked in throughout the product's development.

It is a significant switch from the way most IoT devices have been developed: Be the first to market, regardless of the cyber risks created. 

For years, we've heard from executives at our cybersecurity conferences that IoT manufacturers need to include cybersecurity from the start. Device manufacturers wanting this new CTIA certification will have to do exactly that.

16 cybersecurity requirements of CTIA IoT device certification

  1. Password Management: Device supports local password management
  2. Authentication: Device supports user authentication
  3. Access Controls: Device enforces role-based access control
  4. Patch Management: Device supports automatic and manual installation of patches from an authorized source
  5. Software Upgrades: Device supports manual installation software upgrades from an authorized source
  6. Audit Log: Device supports the gathering of audit log events and reporting them to an EMS using IPsec, SSH, TLS, or DTLS for encryption and integrity protection
  7. Encryption of Data in Transit: Device supports encrypted communications using IPsec, SSH, TLS, or DTLS
  8. Multi-Factor Authentication: Device supports multiple authentication factors
  9. Remote Deactivation: Device can be remotely deactivated by the EMS
  10. Secure Boot: Device supports a secure boot process to protect its hardware
  11. Threat Monitoring: Device supports logging of anomalous or malicious activity based on configured policies and rules
  12. IoT Device Identity: Device provides an IoT Device Type and a globally unique IoT Device Identity
  13. Encryption of Data at Rest: Device supports an effective mechanism for encrypting data stored on the device
  14. Digital Signature Generation and Validation: Device supports generation and validation of digital signatures
  15. Tamper Evidence: Device has the ability to alert a monitoring system when it is physically opened
  16. Design-In Features: Device includes features to fail secure, provide boundary security, and ensure function isolation

Wireless industry executives praise new IoT certification

Leading wireless operators, technology companies, security experts, and test labs collaborated to develop the program’s test requirements and plans.

The program also builds upon IoT security recommendations from the National Telecommunications and Information Administration (NTIA) and the National Institute of Standards and Technology (NIST).

With this much collaboration, perhaps it's no surprise that wireless industry executives are giving the new standards a thumbs up.

"Establishing a common and readily achievable security program that protects devices, consumers, and our networks is a critical initiative as the IoT market continues to grow exponentially, both in the U.S. and globally,” says Cameron Coursey, VP of Product Development, IoT Solutions, at AT&T.

And William Boni, Senior VP of Digital Security at T- Mobile, really hit on a key point: "To realize the exciting promise of IoT, security must be considered at every turn. By setting these standards, the wireless industry is proactively leading the charge to secure previously insecure devices, protecting our networks and customers against cyberattacks.” 

Internet of Things device security certification starts fall 2018

The CTIA says its labs will be ready to accept devices into the certification program beginning in October 2018. Here are all the details on the program

Speaking of October, IoT security is a hot topic at the SecureWorld Dallas conference on October 11-12, 2018.

iRobot's CISO, Ravi Thatavarthy, is speaking on IoT risks versus rewards. He tells me that we must continue to increase confidence in the Internet of Things to maximize its potential.

"My belief is that security combined with privacy will become a brand differentiator,” he says. And he's optimistic that will happen.

And the new CTIA certification program may inspire optimism in other information security leaders, as well.

Comments