The Connectivity Standards Alliance (“Alliance”) Product Security Working Group is pleased to announce the release of their IoT (Internet of Things) Device Security Specification 1.0, with the accompanying certification program, and Product Security Verified Mark.
This groundbreaking initiative aims to establish a unified IoT cybersecurity standard and certification program, providing manufacturers a one-stop solution to certify their devices, enabling them to comply with multiple international regulations and standards more easily.
“The unveiling of the IoT Device Security Specification 1.0, alongside its certification program and the Product Security Verified Mark, signals an important milestone in bolstering IoT security and building confidence with consumers,” said Tobin Richardson, Alliance President & CEO of the Connectivity Standards Alliance.
“By bringing together diverse international regulations into a cohesive specification, the Product Security Certification Program streamlines the process, reduces redundancy, and provides manufacturers with a singular, respected avenue for certifying their devices globally.”
With the increasing adoption of consumer IoT devices, there is a heightened emphasis on security due to a rise in incidents involving breaches and malicious device hijackings. The Product Security Working Group aims to meet this challenge by consolidating requirements from the three most popular IoT Cybersecurity baselines from the United States, Singapore, and Europe into a single specification and certification program. This unifying effort helps manufacturers more easily and efficiently address these regulatory regimes’ requirements aiming to instill confidence in consumers and regulators.
“As consumers embrace the convenience and value of IoT devices, the Alliance is dedicated to helping to create more comprehensive protection for consumers. This initiative aims to establish a robust baseline for all consumer IoT devices,” said Steve Hanna of Infineon Technologies AG and Chair of the Product Security Working Group Steering Committee. “The Alliance’s Product Security Verified Mark and IoT Device Security Specification 1.0 will make it easier for manufacturers to address consumer IoT security requirements around the world.”
IoT Device Security Specification 1.0 Requirements
The Product Security’s IoT Device Security Specification includes dozens of specific device security provisions. IoT Device Manufacturers must demonstrate compliance with those provisions, supplying justifications and evidence to an Authorized Test Laboratory with expertise in security evaluation and experience certifying products relative to this specification.
Highlights of the specific requirements include:
Unique identity for each IoT Device
No hardcoded default passwords
Secure storage of sensitive data on the Device
Secure communications of security-relevant information
Secure software updates throughout the support period
Secure development process, including vulnerability management
Public documentation regarding security, including the support period
Nearly 200 member companies — including Amazon, Arm, Comcast, Google, Infineon Technologies AG, NXP Semiconductors, Schneider Electric, Signify (Philips Hue and WiZ), and Silicon Labs — have collaborated, pooling related technologies, expertise, and innovations enabling the IoT Device Security Specification 1.0, the accompanying certification program, and Product Security Verified Mark to meet the diverse needs of stakeholders, including consumers, device manufacturers, and regulators. Together, these companies spearheaded the process by driving requirements and specification development and ultimately helping validate the final specification.
The Product Security Certification Program and Verified Mark
Encompassing a broad spectrum of smart home devices such as light bulbs, switches, thermostats, doorbell cameras, and more, the Product Security Certification Program establishes minimum requirements for IoT devices. By consolidating several international regulations into a single set of requirements, the Certification Program streamlines the process, helping manufacturers meet certification criteria from multiple countries or regions with a single evaluation.
The Product Security Verified Mark is confirmation a product meets the specification’s security requirements, with the goal of inspiring consumer confidence. When displayed prominently on certified product packaging, store signage, and online platforms, this Verified Mark builds trust by serving as a marker for secure IoT devices. A printed URL, hyperlink, QR code, or a combination of these representations on the Product Security Verified Mark gives consumers access to more information about the device’s security features.
Looking Ahead
As technology advances and new threats emerge, the Product Security Working Group remains committed to continuously enhancing the IoT Security Device Specification and the accompanying certification program.