The market for IoT products designed for personal and professional use has grown recently and shows no sign of stalling. Despite the demand, security requirements in IoT remain loose and poorly regulated. Plenty of schemes are on the table being hotly discussed, but as it stands, the same Common Criteria framework set-up in the 1990s is in use today. Given the swift product life cycle and flexible nature of business operations in 2018, many IT experts are calling for improvements to the existing security accreditation process.
Here are some interesting potential schemes to complement the existing framework. These include:
- A Global Certification System
Perhaps the most common refrain in IoT security accreditation debates is the need for a global certification body thus ensuring the following benefits:
- All the different certification bodies that exist today would finally operate on an “equivalent, comparable, and competitive basis”
- End-users have the assurance that the certification is valid, no matter the size or scope of the body issuing the certificate
- It would bring the costs down for the business looking to gain security accreditation. As it stands, applying for numerous foreign certifications is an expensive and time-consuming process. As a result, many businesses do not pursue business in international markets
2. Fixing Structural Issues within the CC Model
The Common Criteria standardization model has been the benchmark for security certification across business sectors for over 20 years. In this time the product life cycle has shortened; businesses have become far more agile – and yet the verification process remains generic.
The CC model begins with an individual risk assessment, which sets a Security Target for the product. Each security target is usually based on a specific protection profile (PP) addressing sometimes only a part of the product. This sets the Security Functional Requirements and the Security Assurance Requirements that will be assessed by a Third-Party Evaluator following the CC evaluation methodology.
The rise of IoT companies has highlighted just how slow and vague the framework is. But what can be done about it?
What if we restructure the framework to:
- Allow rapid & agile product manufacturing life-cycle while taking care of security
- Reduce the evaluation costs and time
- Create incentive for the vendor
- Provide simple methods/metrics to the vendors
- Provide simple methods/metrics to the evaluators
- Recognize other existing evaluations methodologies and security standards
- Recognize self-assessment (for a basic security assurance level)
- Define and consider training processes
- Consider the full Operational Environment/Processes/Context/Domain in a System and Product approach
- Accelerate or Automate Certificates Maintenance when it is possible
- Allow the customer and the vendor to compare different products OBJECTIVELY
3. What about Trust Labels ?
The use of trust labels on products could be misleading if not carefully defined. Using a general stamp to express the security risk for an assortment of complex products for instance should be defined carefully taking into account the different features/components that could vary from a product to another. Therefore defining IoT Security Profiles must be based on a smart security analysis taking into account the full threat modeling on the system, process and product. Finally, the certificate statements expressed by the trusted label must deliver a clear message to the final consumer and participate to creating awareness.
Conclusion
Invigorate a somewhat lethargic and fragmented security certification infrastructure. For businesses to provide secure connected products/solutions for end-users, there needs to be an adapted IoT Security Assurance Framework in place allowing a more agile evaluation process. IoT threats are only going to become more acute, and without a collective approach that promotes transparency and accuracy, there is little hope in combating the increased risk.