Cybersecurity for Connected Products: Part 2
Assessments and Best Practices
11 May 2021
As the world becomes increasingly connected, cybersecurity is more important than ever, across multiple industries. To keep products and data secure, it is important for designers and manufacturers to understand the threats at play when adding connectivity to products. With that knowledge, there are several options to help ensure cybersecurity, including testing against established standards and certification schemes, as well as other, voluntary assessments.
Compliance and Standards-based Testing
There are several standards that can be used to assess connected devices, depending on product type and the desired market. These include:
- Common Criteria: Also known as ISO 15408, primarily focuses on more traditional Information Communication Technology (ICT) products. This international standard is designed to specify and measure a product's IT security through functional and assurance requirements, as well as product and system specifications and evaluation. Common Criteria certification is recognized by more than 30 countries, including the U.S., Canada, and many countries within the EU. It is recommended for IT products used by government entities and for critical infrastructure.
- Cryptography: The Federal Information Processing Standard (FIPS) 140 is a US standard that has gained world-wide recognition as de facto standard and certification for secure cryptographic implementations. Certification against this standard is a requirement for the US federal government and recommended for the Canadian government.
- Payment Assurance: Equipment and payment applications used for electronic payments including pin-entry devices, encrypting pin pads, unattended payment terminals, secure card readers and hardware security modules must be tested to schemes from various organizations, including the Payment Card Industry (PCI), to protect buyer data.
- Internet of Things (IoT): The IEC 62443 and UL 2900 families of standards apply to connected products used in the home or commercial settings, medical devices, and security and life safety systems. Products must be tested to the requirements set forth in the relevant standard. Any product that meets those requirements can be certified.
- ISO 27001: Organizations using a risk management system focused on information security are eligible for certification under this standard, which covers people, processes, technologies, and facilities used in daily activities. Compliance includes gap analysis, as well as creating and implementing an Information Security Management System.
- Standards such as ETSI EN 303 645 are uniquely targeted at consumer products and are built upon a widely accepted security baseline.
Optional assessments can also be used to illustrate security and resiliency by testing based on industry best practices. Often, these voluntary evaluations provide peace of mind and enhance a product's appeal. They include:
- Private certification schemes, such as Intertek's Cyber Assured program, which helps manufacturers clearly demonstrate robust, on-going security over the life of the product, by continuously monitoring new risks emerging which relate to the product.
- Vulnerability Assessments: These can be used to evaluate susceptibility to known weaknesses and vulnerabilities, using specialized tools and detailed examination of application functionality to test system and networks, and cloud-based services. Assessments can also include specific assessments against well-known communication protocols and applications. Comprehensive auditing and device testing is interpreted in the context of a product's intended environment to understand the risks at a practical level.
- Penetration Testing: Also known as ethical hacking, this gives an attacker's perspective, with experts attempting to infiltrate networks, systems, products, and applications. The result is a detailed report identifying exploitable vulnerabilities and recommended mitigation, as well as strengths as successes.
- Security Design Review: Considering cybersecurity early in the design process is more cost effective and efficient than trying to add security later in the process. Assessing security controls or network design for effectiveness and adequacy regularly throughout the design phase will help to ensure product security.
- Privacy Impact Assessment: A detailed review of organizational or product privacy policies and controls to ensure compliance to legislation and security standards. Assessments address the risks to privacy or privacy-related security that have been identified and considered, along with mitigation protocols.
- Threat Risk Assessment: A threat risk assessment identifies assets that need to be protected, the value of those assets and associated threats/vulnerabilities. It considers the impact of damage or loss and, most importantly, how to mitigate exposure or damage. A typical assessment will deliver a prioritized list of issues to be addressed.
Independent testing and certification illustrate compliance with regulatory or industry requirements, confirm controls are working as intended, and outlines roadmaps for improvements. Best practices and industry-specific standards should be followed to ensure secure products and infrastructure. Having a strong cyber security posture with appropriate assurance testing and certification will help to meet and exceed IoT requirements, build consumer trust, and strengthen brand reputation. Make sure to include security throughout product design and development; adding security after the fact is rarely effective and costs more. Build products to be intrinsically secure. A proactive approach can make all the difference.