With the evolution of the “Internet of Things” it became evident that a globally applicable certification framework was required to ensure vendors security claims were valid, and their IoT products met general security baseline principles for IoT as set by Governments and International Standards bodies, such as ETSI, ENISA and NIST.
In 2012 Enex, formerly the RMIT University IT Testing Laboratory, Australia, continued R&D on a project (“SEPR”) that was commenced in the Enex (UK) Lab in 2006. That original work involved a government initiated (Cabinet Office & Home Office) assurance programme focused on the independent evaluation, validation and certification of vendors claims about the electronic security of their products. An article about it was published by CSO Magazine in 2013. In 2017 focus shifted to IoT.
In late 2019 the UK, US, Canada, Australia and New Zealand, collectively known as the Five Eyes (FVEY) released a joint statement of intent regarding the security of the Internet of Things. Acknowledging that the lack of security in IoT devices is a global issue, expecting manufacturers to incorporate security-by-design, and actively seek out opportunities to enhance trust and raise awareness of security safeguards associated with IoT devices in those respective nations.
In 2019 the research IP was transferred from Enex P/L to Security Mark P/L for the purpose of commercially licensing a number of cyber security and information assurance technology related third-party conformity assessment marks, covering areas such as Information Technology (IT), Information Communications Technology (ICT) and the Internet of Things (IoT).
The governance, policies and procedures that comprise the IoT Security Trust Mark™ Certification and voluntary Labelling scheme were formalised and the program licenced and commercially launched by IoT Security Mark P/L. With the scheme Pilot program opening in 2021.
The global IoT Security Trust Mark™ certification and voluntary live labelling scheme supports the IoT Security objectives stated by FVEY.
The scheme is compliant with the premise of the conceptual framework for a conformity assessment program set out by the National Institute of Standards and Technology (SP.2000-01/02) and covers the principle tenets of;
REQUIREMENT – How should it perform?
DETERMINATION – How do we know it performs?
ATTESTATION – Who says its performance has been demonstrated?
SURVEILLANCE – What about assurances next week?
The scheme provides assurance to purchasers of IoT products that hold current IoT Security Trust Mark™ certification that the claims vendors are making in their scheme Vendors Claims Document (VCD); requirement; about their product security have been independently verified by an STM Accredited Test Facility (ATF) that maintain ISO/IEC17025; determination; and meet Baseline IoT security Requirements (BRs) as set by Standards Bodies and Governments, are certified by a scheme Decision Authority (DA); attestation.
It is imperative not to convey a false sense of security to the IoT consumers or users through the certification mark. Common Vulnerabilities & Exposures (CVE®), National Vulnerability Database (NVD) and software bill of materials (SBOM) Vulnerability Exploitability eXchange (VEX) profiles are actively monitored by scheme DA; surveillance; to ensure vendors of certified products are notified and aware of any vulnerabilities and those are remediated, during this process the certification is appended to a suspended state until remediation is achieved. If remediation is not successfully achieved within a period then the certification is expired.
Products are listed on the Evaluated Products List (EPL), along with their Test Report Summary (TRS). Products successfully passing certification can voluntarily display the IoT Security Trust Mark label that includes their live STM Quick Response (QR) code, issued by the DA, on their product packaging and/or marketing material for the duration of their active certification, these link digitally to their product on the official IoT STM EPL enabling IoT purchasers, consumers and users to quickly check and confirm currency of certification at any point in time (using the IoT STM “traffic light system” of certified (green), suspended (amber) or expired (red)). STM supports ISO/IEC 22603-1 compliance with digital labelling for countries that accept this. Proactive IoT vendors that focus on incorporating higher value added levels of security in their products are rewarded through the multi-tiered STM labelling system, for those that go beyond the minimum Baseline Requirements by delivering additional highly desirable features in their security claims.
The IoT Security Trust Mark™ scheme is voluntarily for participating vendors, the scheme is funded via this participation. While external funding and financial donations of support are appreciated the STM scheme existence and endurance is not contingent on any such external funding source(s) or budgets. Financial investment to-date has been provided by members of the Scheme Senior Executive.
In terms of fee schedule and time to process, the IoT Security Trust Mark™ scheme offers participating vendors good flexibility, timeliness and value. The Accredited Test Facility marketplace can be approached to provide quotation on a per product basis. Dependent on the type/nature of the product estimates are provided based on the complexity required to undertake the work. This is capped at a maximum value and duration (no more than 30-days at USD$1,000 per-day + any relevant local taxes) to produce a pass/fail result. Through prior experience it is anticipated that most products will go through the process in approximately 10~14 days. The purpose of having a cap on the duration and value is to address prospective concern that the process, albeit voluntary, will delay product getting to market, or that the cost of compliance may be prohibitively expensive and add unnecessary cost to products for the IoT consumers. It also addresses the risk of complex products that are not suitable for such certification being submitted for assurance, and therefore the Scheme incorporates this self-regulation mechanism.
In addition to ATFs and DAs, the scheme is supported internationally by Affiliates and Host Country Associations (HCAs) who are third party groups who seek to drive the adoption of safe and secure IoT in their regions and territories. Through awareness raising and engagement with Government, Industry and Consumers. The STM is also engineered to enable mutual recognition and grandfathering with aligned jurisdictions, bodies and peers.
Enquire today about becoming an IoT Security Trust Mark™ Affiliate, Host Country Association (HCA), Decision Authority (DA), or an Accredited Test Facility (ATF).