With the evolution of the “Internet of Things” it became evident that a globally applicable certification framework was required to ensure vendors cyber security claims were valid, and their IoT products met general security baseline principles for IoT as set by Governments and International Standards bodies, such as ETSI, ENISA and NIST.
Third-party validation provides assurance for consumers of connected devices that the security claims of the certified product have been verified underpinning the consumers safety and privacy.
In 2012 Enex, formerly the RMIT University IT Testing Laboratory, Australia, continued R&D on a project (“SEPR”) that was commenced in the Enex (UK) Lab in 2006. That original work involved a government initiated (Cabinet Office & Home Office) assurance programme focused on the independent evaluation, validation and certification of vendors claims about the electronic security of their products. An article about it was published by CSO Magazine in 2013. In 2017 focus shifted to cyber security assurance for the Internet of Things (IoT).
In late 2019 the UK, US, Canada, Australia and New Zealand, collectively known as the Five Eyes (FVEY) released a joint statement of intent regarding the security of the Internet of Things. Acknowledging that the lack of security in IoT devices is a global issue, expecting manufacturers to incorporate security-by-design, and actively seek out opportunities to enhance trust and raise awareness of security safeguards associated with IoT devices in those respective nations.
In 2019 the preceding Intellectual Property for the framework was transferred from Enex P/L to Security Mark P/L (Scheme Owner) for the purpose of commercially licensing a number of cyber security and information assurance technology related third-party conformity assessment marks, covering areas such as Information Technology (IT), Information Communications Technology (ICT) and the Internet of Things (IoT).
The governance, policies and procedures (set of rules) that comprise the IoT Security Trust Mark™ (STM) Certification and voluntary live Cybersecurity Labelling Scheme were formalised, Certification Trade Marks pending (international jurisdictions), and the program licenced and launched by IoT Security Mark P/L (Scheme Operator).
The scheme Pilot program opening to market in 2021, with the scheme going live in 2022.
The global IoT Security Trust Mark™ (STM) certification and voluntary live Cybersecurity Labelling Scheme supports the IoT Security objectives stated by FVEY.
The scheme is compliant with the premise of the conceptual framework for a conformity assessment program set out by the National Institute of Standards and Technology (SP.2000-01/02) and covers the principle tenets of;
REQUIREMENT – How should it perform?
DETERMINATION – How do we know it performs?
ATTESTATION – Who says its performance has been demonstrated?
SURVEILLANCE – What about assurances next week?
The scheme provides assurance to purchasers of IoT products that hold current IoT Security Trust Mark™ certification that the cyber security claims vendors are making in their Suppliers Declaration of Conformity (SDoC) as included in their STM Vendors Claims Document (VCD); requirement; about their product security have been independently verified through the Conformity Assessment Program by an STM Accredited Test Facility (ATF) that maintain ISO/IEC17025; determination; and meet Baseline IoT security Requirements (BRs) as set by Standards Bodies and Governments, are then certified by a scheme Decision Authority (DA); attestation.
It is imperative not to convey a false sense of security to the IoT consumers or users through the certification mark. Common Vulnerabilities & Exposures (CVE®), National Vulnerability Database (NVD) and software bill of materials (SBOM) Vulnerability Exploitability eXchange (VEX) profiles are actively monitored by scheme DA; surveillance; to ensure vendors of certified products are notified and aware of any vulnerabilities and those are remediated, during this process the certification is appended to a suspended state until remediation is achieved. If remediation is not successfully achieved within a period then the certification is expired.
Products are listed on the Evaluated Products List (EPL), along with their Test Report Summary (TRS). Products successfully passing certification can voluntarily display the IoT Security Trust Mark cybersecurity binary label, indicating that the product has met the Baseline IoT Requirements (BRs). This includes their live STM Quick Response (QR) code, issued by the DA, for their product packaging and/or marketing material for the duration of their active certification, these link digitally to their product on the official IoT STM EPL enabling IoT purchasers, consumers and users to quickly check attribution and confirm currency of certification at any point in time (using the IoT STM “traffic light system” of certified (green), suspended (amber) or expired (red)). STM supports ISO/IEC 22603-1 compliance with digital labelling for countries that accept this. Proactive IoT vendors that focus on incorporating higher value added levels of security in their products are rewarded through the multi-tiered STM “nutrition” labelling system, for those that go beyond the minimum Baseline Requirements by delivering additional highly desirable features in their security claims. The peer reviewed academic (University College London and Australian National University) research referenced in the journal publication titled: The impact of IoT security labelling on consumer product choice and willingness to pay (citation). Has in-part informed the development of the STM voluntary label.
The IoT Security Trust Mark™ scheme is voluntary for participating vendors, the scheme is funded via this participation. While external funding and financial donations of support are appreciated the STM scheme existence and endurance is not contingent on any such external funding source(s) or budgets. Financial investment and co-contribution to-date has been independently provided by members of the Scheme Senior Executive, none of whom are related to IoT product manufacturers or vendors.
In terms of fee schedule and time to process, the IoT Security Trust Mark™ scheme offers participating vendors good flexibility, timeliness and value. The Accredited Test Facility marketplace can be approached to provide quotation on a per product basis. Dependent on the type/nature of the product estimates are provided based on the complexity required to undertake the work. This is capped at a maximum value and duration (no more than 30-days at USD$1,000 per-day + any relevant local taxes) to produce a pass/fail result. Through prior experience it is anticipated that most products will go through the process in approximately 10~14 days. The purpose of having a cap on the duration and value is to address prospective concern that the process, albeit voluntary, will delay product getting to market, or that the cost of compliance may be prohibitively expensive and add unnecessary cost to products for the IoT consumers. It also addresses the risk of complex products that are not suitable for such certification being submitted for assurance, and therefore the Scheme incorporates this self-regulation mechanism.
In addition to ATFs and DAs, the scheme is supported internationally by Affiliates and Host Country Associations (HCAs) who are third party groups who seek to drive the adoption of safe, private and secure IoT for consumers in their regions and territories. Through awareness raising and engagement with Government, Industry and Consumers. The STM is also engineered to enable mutual recognition and grandfathering with aligned jurisdictions, bodies and peers.
Enquire today about becoming an IoT Security Trust Mark™ Affiliate, Host Country Association (HCA), Decision Authority (DA), or an Accredited Test Facility (ATF).