ICSA Labs to roll out IoT security testing certification
ICSA Labs, which is an independent division of Verizon Communications, is about to embark on a new “Internet of Things” security testing certification program designed to ensure security features for IoT devices and sensors work as advertised.
The IoT security testing and certification program is set to include testing in six areas: cryptography, communications, physical security, platform security, alert/logging and authentication. Security is consistently one of the top concerns for IoT devices and related services, and hacks or lack of security have already been highlighted in webcams, wireless medical devices and in-vehicle control systems.
ICSA Labs has a long history in the computer security space, as well as in security assurance for software security. The division recently issued a report showing among traditional security products “the majority of security devices fail to perform as intended” – only 27% of anti-virus products achieve its certification on the first try, for example. Although many companies are working on various aspects of IoT security – Cloud Security Alliance, for example, has an IoT working group – ICSA Labs believes its third-party testing and certification will be one of the first of its kind for IoT sensors and devices.
Taking devices that used to have no connectivity and connecting them via the Internet “now exposes them to a completely different frontier of things that can potentially be co-opted on these devices,” said George Japak, managing director of ICSA Labs. Japak went on to say that in an IoT environment with a variety of vendors, which may or may not have experience with network, device and information security, plus the leveraging of big data and analytics meaning that detailed, personal information is likely to be collected and communicated by IoT devices, there are very real vulnerability concerns that have to be addressed. Even nonmalicious applications can end up transmitting far more information than a user may be aware of. Japak said it’s common for devices and applications to essentially sit and monitor other applications’ usage to paint a picture of a user’s habits and then transmit that information back to their own home base. While that might be acceptable – or at least, not illegal – for that to be done in a gaming or shopping context, it has very different security implications if the user also has a disease-monitoring app on the device with information potentially being passed on to a third party by another app.
In an enterprise context, Japak added, companies that seek to leverage IoT will want to have a good grasp of supply chain risks, and something like ICSA Labs’ security testing certification could end up being part of an overall risk mitigation approach.
“We’ve been working on developing this for a while. Some of it is based on our own, independent research dealing with existing customers and stakeholders in terms of soliciting feedback on this … We also had people reaching out to us who are familiar with us and are concerned about these type of things,” said Japak.