Addressing the Commercial Roots of the Consumer IoT Security Problem

The Internet of Things (IoT) provides amazing possibilities for product development and is accelerating innovation at perhaps the fastest rate in history. However, while manufacturers are eager to go to market with IoT products, building appropriate security measures into these devices and communicating that due diligence to the marketplace often remains an afterthought.

In this Q&A, Senior Editor Bill Wong talks with Andrew Jamieson, Director of Security and Technology at Underwriters Laboratories (UL) about how UL’s IoT Security Rating helps demonstrate product security and empower consumers.

Andrew Jamieson, Director, Security and Technology, UL — Andrew Jamieson, Director, Security and Technology,
UL

What is UL’s IoT Security Rating and what value does it bring to manufacturer’s products?

UL’s IoT Security Rating is a security verification and labeling solution that determines the levels of security built into your consumer IoT product. There are five levels that can be applied to a product: Bronze, Silver, Gold, Platinum, and Diamond. As the levels increase, additional security capabilities are applied, as well as additional rigor to the assessment of those requirements. This provides a clear baseline of security hygiene at the lowest levels with the ability for brands and products that are more security sensitive—or have additional security features built in—to demonstrate their increased security posture at the higher levels.

The intent of the program is to assist with driving increased adoption of security features through highlighting the security of products at the point of purchase. This allows customers to include security in their purchase decisions, much as today’s customers will often include energy-efficiency or water-efficiency into such decisions as informed by labeling for those areas.

Building security into products can take time and have tangible impacts in terms of longer time-to-market and increased manufactured cost of product. However, through clear labeling of security capabilities, a product vendor can expose customers to the reason for any connected increase in purchase price due to these security costs. Those costs also include customer protections of maintaining the product post-purchase with patches and security updates.

Therefore, the IoT Security Rating brings peace of mind to customers, as well as enabling product vendors to clearly demonstrate their due diligence for customer security and privacy. It provides both a point of differentiation in the market and helps to demonstrate compliance to various IoT security regulations around the world.

What is covered during an assessment?

The assessment process involves looking at common issues that result in exploited vulnerabilities in IoT systems, such as default passwords, lack of strong cryptography, insecure remote connections, lack of up-to-date software patches, etc. These issues are merged into seven groups of testing, covering:

Software updates
Data and cryptography
Logical security
System management
Customer-identifiable data
Protocol security
Process and documentation

The depth and types of testing involved for each of these then varies based on the specific level of rating that is being sought. Complete details on the items that are tested at the different levels can be found by downloading the rating document from the UL Standards website: https://www.shopULstandards.com/ProductDetail.aspx?UniqueKey=35953 (free to download, but registration required).

How do these security capabilities compare with other baseline regulation and industry standards around the world?

Baseline security capabilities, because they target all devices and systems as a minimum set of standards, must be set to a level that’s achievable for most of these systems—very much a base of what is required and desirable. This does not provide the ability for systems that overachieve with their security posture, where the manufacturer has spent more time and money to make their systems better than the baseline requirements, to be easily differentiated by customers.

Certainly, having specific baseline requirements is important in the market, and, often by achieving the lower levels of the UL IoT Security Rating, a product can easily demonstrate compliance to these baseline requirements. However, the goal of UL’s IoT Security Rating is also to help drive increased adoption of security best practices beyond these baselines. And, by gaining ratings at the higher levels, a product is able to use its increased security posture as a commercial differentiator in the market.

The security capabilities in UL’s IoT Security Rating are aligned with global industry frameworks and best practices, such as National Institute of Standards and Technology: Core Cybersecurity Feature Baseline for Securable IoT Devices; A Starting Point for IoT Device Manufacturers (draft NISTIR 8259), European Telecommunications Standards Institute: Cyber Security for Consumer Internet of Things (ETSI TS 103 645); and Council to Secure the Digital Economy: C2 Consensus on IoT Device Baseline Security (CSDE C2 Consensus).

The UL IoT Security Rating also helps demonstrate security compliance for meeting the threshold of reasonable security features, as required of manufacturers in the first legally binding regulations for consumer IoT in the California and Oregon Cybersecurity Bills that went into effect January 1, 2020.

Does compliance to UL’s IoT Security Rating indicate that a product is 100% secure?

Nothing can be said to be 100% secure, and compliance to any level of the UL IoT Security Rating (even the highest levels) only indicates that certain common vulnerabilities and attack methods have been mitigated in the design or implementation of the product that has been tested. New vulnerabilities are discovered all the time, so a part of the testing is to help ensure that the product is backed up by a robust vulnerability management program designed to address new issues that may be found and release patches for the systems to prevent exploitation of these issues.

However, we do know what common issues are being exploited in IoT systems around the world right now, and those are the items that are addressed by this program. Compliance to any level will serve to reduce the threat of exploitation of the system by making sure these common issues are not present.

Can we solve IoT security, or is it an intractable problem?

As we move into a future where IoT is more and more common, where almost all of our systems and devices have embedded processing elements and use local or remote software to control their operation, we’re going to need a dual approach to IoT security. One of these approaches is to ensure that there’s security built into products from the outset, they are designed with an understanding of what can and does go wrong, and those issues are remediated before the product is sold. This is where both baseline capabilities and commercial incentives for security, such as UL’s IoT Security Rating, come in.

There’s also a need to address the legacy issue with IoT security—products in people’s homes, and in commercial and industrial environments, which are at end-of-life (and no longer receive patches) or have been purchased prior to security programs coming into effect to ensure baseline security controls.

Here we need to consider how we manage such systems securely. Do we need to have people dispose of otherwise functional equipment like televisions and heaters because their software is no longer maintained in regard to security? Solutions such as specific IoT network monitoring and control systems, network-management protocols that limit what IoT systems are able to do, have a place in the future as well.

However, for new and current products in the marketplace, UL’s IoT Security Rating is a great starting point for demonstrating the security due diligence of connected products and helping customers make conscious and informed purchasing decisions based on security.

Andrew Jamieson has been working in the security of embedded systems for over 25 years, spending the first part of his career making devices and the rest of it breaking devices. During this time, he has worked with many different security evaluation methods, such as Common Criteria, FIPS140-2, ISO13491, and PCI PTS/HSM. Andrew helped create the UL IoT Top 20 Design Principles to inform manufacturers on best practices to secure their devices from attack.

References