Cyber Security and the Internet of Things
Research firm Statista estimates that the total installed base of systems and devices connected through the Internet of Things (IoT) will surpass 21 billion units worldwide by 2025. But the growing IoT footprint has also become a prime target for cyber attacks by hackers and criminals.
Fortunately, there are several internationally accepted standards and guidance intended to help manufacturers secure their IoT products and devices from cyber threats. These include:
- ETSI/EN 303 645, "Cyber Security for Consumer Internet of Things"—Developed by ETSI (formerly the European Telecommunications Standards Institute), this European standard details widely-accepted "best practices" for the security of Internet-connected consumer devices. Rather than taking a prescriptive approach to its requirements, ETSI/EN 303 645 is instead outcome-focused to provide the greatest degree of flexibility in implementing security solutions specific to a given product. This standard is also the basis for Nemko’s IoT Cyber security certification scheme.
- ANSI/UL 2900, "Standard for Software Cybersecurity for Network-Connectible Products,"—This series of standards provides verifiable criteria for the testing of network-connected devices that send, store or transmit data to and from other connected devices. Part 1 of the series, "General Requirements," prescribes requirements for the assessment of security risks in the architecture and design of system software, while other standards in the series address industry-specific product requirements.
- IEC 62443, "Industrial communications networks – Network and system security"—As the title indicates the focus of this series of standards is on the cyber security of various aspects of industrial communications networks, including industrial automation and control systems and components, as well as requirements for IACS service providers. Part 4 of the standard also details security product development lifecycle requirements for industrial control systems. This standard series is the basis for the IECEE Cyber security certification scheme.
- CTIA standards and guidances—CTIA's Cyber Security Working Group has developed a number of best practices to address cyber risks specific to the range of wireless communications technologies, including LTE, CDMA, UMTS, GSM, converged Wi-Fi and Air-Interface technologies.
How Nemko Can Help
Nemko can test connected systems and devices in accordance with the requirements and best practices detailed primarily in ETSI/EN 303 645. Toward this end, Nemko has developed two specific testing and approval services expressly designed for the unique cyber security threats targeted at IoT technologies, as follows:
- Cyber Security Product Attestation—Nemko's Cyber Security Product Attestation service includes a thorough evaluation of IoT products against the requirements of ETSI/EN 303 645. The Cyber Security Product Attestation service provides a trusted, third-party cyber security verification method for manufacturers of custom products and components, as well as for those who do not require certification.
- Cyber Security Product Certification—Nemko's Cyber Security Product Certification service is best suited for IoT developers and manufacturers who are committed to the continuous improvement of the cyber security of their products. In addition to testing in accordance with ETSI/EN 303 645, the Cyber Security Product Certification service adds an initial audit of the manufacturer's quality assurance system, as well as annual surveillance audits to ensure ongoing compliance with the standard's requirements.
In addition to these services, Nemko can also provide testing and certification services in accordance with the internationally recognizes Common Criteria scheme.
The Benefits of Working with Nemko
Partnering with Nemko can provide your organization with several important advantages in your efforts to address the challenges of today's cyber security landscape. These benefits include:
- Recognized Cyber Security Expertise—Acquired by Nemko in 2020, Systemsikkerhet is Norway's very first information security consultancy and is one of four information security testing laboratories recognized by the Norwegian National Security Authority.
- Active Involvement in Standards Development and Implementation—Nemko technical professionals are active participants in efforts to develop state-of-the-art cyber security standards and protocols and are knowledgeable about new and emerging requirements that can help to improve security.
- Single Source Solution—With its combined expertise in cyber security, product safety, Radio/Telecom and electromagnetic compatibility (EMC), Nemko represents a robust single source for manufacturers seeking comprehensive testing and certification services for their IT systems and devices.
Global Support—With nearly 30 locations on six continents around the world, Nemko is well-positioned to support your efforts to achieve global market access for your products, regardless of your location or target market.
For more information about how Nemko can help your organization meet current and emerging cyber security challenges, contact us