With the evolution of the “Internet of Things” it became evident that a globally applicable certification framework was required to ensure smart device vendors’ cyber security claims were valid, and their OT and IoT products met conformance with general security baseline cyber principles set by Governments and International Standards bodies, such as ETSI, ENISA and NIST.
Third-party validation provides assurance for consumers of connected devices that the cyber security claims of the certified product have been verified underpinning the consumers safety and privacy.
In 2012 Enex, formerly the RMIT University IT Testing Laboratory, Australia, continued R&D on a project (“SEPR”) that was commenced in the Enex (UK) Lab in 2006. That original work involved a government initiated (Cabinet Office & Home Office) cyber assurance programme focused on the independent evaluation, validation and certification of vendors claims about the information assurance characteristics and electronic security properties of their products. An article about this was published by CSO Magazine in 2013. In 2017 focus shifted to cyber security assurance for connected smart devices as Operational Technologies (OT) and the Internet of Things (IoT).
In late 2019 the UK, US, Canada, Australia and New Zealand, collectively known as the Five Eyes (FVEY) released a joint statement of intent regarding the security of the Internet of Things. Acknowledging that the lack of security in IoT devices is a global issue, expecting manufacturers to incorporate cyber security-by-design, and actively seek out opportunities to enhance trust and raise awareness of cyber safeguards associated with IoT devices in those respective nations.
A proudly Australian led international initiative and the first in a harmonised, scalable, consistent and federated global Cybersecurity Labelling Scheme (CLS).
In 2019 the preceding Intellectual Property for this framework was transferred from Enex PTY LTD (P/L) to Security Mark P/L (the Scheme Owner) for the purpose of commercially licensing a number of Cyber Security and Information Assurance technology related third-party conformity assessment marks, covering areas such as Information Technology (IT), Information Communications Technology (ICT), Industrial/Infrastructure Control Systems (ICS), Industrial Internet of Things (IIoT), Operational Technologies (OT) and the Internet of Things (IoT) smart devices.
The governance, policies and procedures (set of rules) that comprise the Cyber Security Trust Mark™ (STM) Certification and voluntary live Cybersecurity Labelling Scheme (CLS) were formalised, Certification Trade Marks pending (international jurisdictions), and the program licenced and launched by IoT Security Mark P/L (Scheme Operator).
The scheme Pilot program opening to market in 2021, with the scheme going live in early 2022.
The global IoT Cyber Security Trust Mark™ (STM) certification and voluntary live Cybersecurity Labelling Scheme (CLS) supports the IoT Security objectives stated by FVEY.
The Cyber Trust Mark scheme is compliant with the premise of the conceptual framework for a conformity assessment program set out by the National Institute of Standards and Technology (SP.2000-01/02) and covers the principle tenets of;
REQUIREMENT – How should it perform?
DETERMINATION – How do we know it performs?
ATTESTATION – Who says its performance has been demonstrated?
SURVEILLANCE – What about assurances next week?
The scheme provides assurance to purchasers of products that hold current Security Trust Mark™ certification that the cyber claims connected smart device vendors are making in their Suppliers Declaration of Conformity (SDoC) as included in their STM Vendors Claims Document (VCD) including their conforming Software Bill Of Materials (SBOM) (such as those that meet the OWASP® Foundation Standard); requirement; about their product security have been independently verified through the Conformity Assessment Program by an STM Accredited Test Facility (ATF) that maintain ISO/IEC17025; determination; and meet Baseline IoT security Requirements (BRs) based on those set by Standards Bodies and Governments, are then certified by a scheme Decision Authority (DA); attestation.
It is imperative not to convey a false sense of security to consumers or users through the cyber certification mark. Common Vulnerabilities & Exposures (CVE®), National Vulnerability Database (NVD) software bill of materials (SBOM) Vulnerability Exploitability eXchange (VEX) profiles are actively monitored by scheme DA; surveillance; to ensure vendors of certified products are notified and aware of any vulnerabilities and those are remediated, during this process the certification is appended to a suspended state until remediation is achieved. If remediation is not successfully achieved within a period then the certification is expired.
Products are listed on the Cyber Trust Mark Evaluated Products List (EPL), along with their Test Report Summary (TRS). Products successfully passing certification can voluntarily display the Security Trust Mark cybersecurity label, indicating that the product has met the Baseline IoT Requirements (BRs). This includes their live STM Quick Response (QR) code, issued by the DA, for their product packaging and/or marketing material for the duration of their active certification, these link digitally to their product on the official STM EPL enabling IoT purchasers, consumers and users to quickly check attribution and confirm currency of cyber certification at any point in time (using the STM “traffic light system” of certified (green), suspended (amber) or expired (red)). STM supports ISO/IEC 22603-1 compliance with digital labelling for countries that accept this. Proactive IoT vendors that focus on incorporating higher value added levels of cyber security in their products are rewarded through the multi-tiered STM “nutrition” labelling system, for those that go beyond the minimum cyber Baseline Requirements by delivering additional highly desirable features in their security claims. The peer reviewed academic (University College London and Australian National University) research referenced in the journal publication titled: The impact of IoT security labelling on consumer product choice and willingness to pay (citation). And in March 2022 a paper published by the Australian Department of Prime Minister and Cabinet titled: Stay Smart ~ Helping consumers choose cyber secure smart devices (citation). Have in-part informed development of the STM voluntary label.
The IoT Security Trust Mark™ scheme is voluntary for participating vendors, the scheme is funded via this participation. While external funding and financial donations of support are appreciated the STM scheme existence and endurance is not contingent on any such external funding source(s) or budgets. Financial investment and co-contribution to-date has been independently provided by members of the Scheme Senior Executive, none of whom are related to OT/IoT smart device product manufacturers or vendors.
In terms of fee schedule and time to process, the IoT Security Trust Mark™ scheme offers participating vendors good flexibility, timeliness and value. The Accredited Test Facility marketplace can be approached to provide quotation on a per product basis. Dependent on the type/nature of the product estimates are provided based on the complexity required to undertake the work. This is capped at a maximum value and duration (no more than 30-days at USD$1,000 per-day + any relevant local taxes) to produce a pass/fail result. Through prior experience it is anticipated that most smart device products will go through the process in approximately 10~14 days. The purpose of having a cap on the duration and value is to address prospective concern that the process, albeit voluntary, will delay product getting to market, or that the cost of compliance may be prohibitively expensive and add unnecessary cost to products for the IoT consumers. It also addresses the risk of complex products that are not suitable for such certification being submitted for assurance, and therefore the Scheme incorporates this self-regulation mechanism.
In addition to ATFs and DAs, the scheme is supported internationally by Affiliates and Host Country Associations (HCAs) who are third party groups who seek to drive the adoption of safe, private and secure IoT for consumers in their regions and territories. Through awareness raising and engagement with Government, Industry and Consumers. The Cyber STM is also engineered to enable mutual recognition and grandfathering with aligned jurisdictions, bodies and peers.
Enquire today about becoming a Security Trust Mark™ Affiliate, Host Country Association (HCA), Decision Authority (DA), or an Accredited Test Facility (ATF).