Cybersecurity for Consumer IoT Devices
Consumer device cybersecurity and the Internet of Things
The need for greater protection for home devices, including those in the consumer smart home category, is on the rise. As technology continues to advance, more devices are becoming connected to the internet. With more devices relying on wireless networking, even traditionally unconnected digital devices such as alarm clocks and thermostats can become part of the home network.
The Internet of Things (IoT) refers to the billions of physical devices around the world that are now connected to the internet, all collecting and sharing data. The home of the future is smart and smart homes will have integrated IoT devices.
Consumer device cybersecurity vulnerabilities
When an IoT device is compromised, cybercriminals have access to a wide range of intellectual property that can include software and firmware that could give them control over a home's security and entertainment systems as well as other electronic devices. While not all IoT devices are vulnerable, recent stories of security breaches involving IoT devices highlight the need to bolster security in consumer devices and smart homes.
Building trust in an ever-evolving IoT space
IoT, smart home and home automation products are significantly increasing in popularity with consumers. With enhanced digital connectivity, the smart home industry is expected to reach $537 billion (USD) worldwide by 2030, according to Grand View Research. Many manufacturers are creating innovations and re-designing existing products to leverage this growing industry.
At UL Solutions, we help consumer device and smart home product manufacturers identify key cyber vulnerabilities in the design and implementation of their connected smart home systems and devices to help you achieve more effective, foundational cybersecurity hygiene. We offer a comprehensive approach to addressing cybersecurity vulnerabilities in smart home systems and connected consumer devices of all types. Our suite of services include:
- IoT masterclass and webinar.
- UL Verified IoT Device Security Rating program.
- IoT Scoping Program.
- IoT Strategy Program.
- IoT Component Qualification.
- IoT Jumpstart Program.
- Other general advisory services.
- Consumer device IoT masterclass and IoT webinar
The Consumer Device IoT Masterclass is a training course created with the goal of helping IoT device manufacturers and other interested stakeholders understand the basics of consumer device IoT security. This class is designed with the input of our technical experts, each bringing years of experience in advising on and formally evaluating IoT devices. By the end of the two-day training program, attendees can expect to have gained understanding in the following areas:
- The consumer IoT ecosystem and landscape.
- Key principles and philosophy of IoT device security.
- Common IoT security best practices based on relevant global requirements and standards.
- Evaluation process – timelines, common issues, and how security laboratories evaluate each requirement.
- How consumer device IoT fits into the wider connected world.
The standard training program was designed with a target audience of IoT device manufacturers in mind and is readily adaptable to add optional modules or training variations, including:
- ETSI EN 303 645.
- DLC technical requirements.
- Impact of the European Commission’s Radio Equipment Directive (RED).
The IoT webinar is an education session with a specific topic and smaller timeframe than a formal training. Usually, these sessions will be one to three hours long and will focus on an individual topic.
- UL Verified IoT Device Security Rating program
The UL Verified IoT Device Security Rating is a highly efficient and comprehensive evaluation process that assesses critical security aspects of smart products against common attack methodologies and known IoT vulnerabilities to create a security baseline among the consumer IoT industry.
The Verified IoT Device Security Rating, which is based on our IoT Security Top 20 Design Principles, aims to serve two purposes:
- Help manufacturers and developers improve the security posture of their products by leveraging proven security best practices.
- Rate the security posture of IoT products in order to make security more transparent and accessible to consumers.
By going through an efficient yet comprehensive evaluation process, manufacturers and their products are given a security rating label, which can be used for both online and in-store marketing. The Verified IoT Device Security Rating framework aligns with prominent industry standards, including ETSI TS 103 645, which builds on the U.K. Code of Practice for Consumer IoT Security, and can provide information that customers can use to demonstrate conformance to those standards.
- Consumer Device IoT Scoping Program
The Consumer Device IoT Scoping Program is a workshop designed for IoT device manufacturers who have a specific upcoming target in mind, e.g., a mandated date by which they must be compliant or a regional regulation they must comply with. The workshop and surrounding activities will use this as the lens through which all activities and sessions will be delivered.
- Consumer Device IoT Strategy Program
The Consumer Device IoT Strategy Program is a workshop designed for IoT device manufacturers with a specific upcoming target in mind but are also interested in a more comprehensive and long-term plan for their consumer device IoT cybersecurity posture and strategy. The agenda is similar to that of the scoping program.
- IoT Component Qualification
The UL Verified IoT Device Security Rating program is intended to be a device-centric assessment, where manufacturers may apply for a specific security level of their device, and if all the requirements for that level are fulfilled, the claim is accepted as verified. There are, however, scenarios where service providers or sub-component manufacturers may choose to have their service or component evaluated, which would fall under our IoT Component Qualification. In this case, a subset of requirements would be evaluated that applies to the service or sub-component. An example service is a platform that provides continuous vulnerability scanning (vulnerability management as a service). An example of a sub-component is a TLS library or IoT platform.
An IoT Component Qualification is most often a fit for customers who do not have a traditional IoT device but instead offer a component that will be used as part of an IoT device end product yet wish to have an evaluation proving their component’s contribution to the end IoT device security.
- IoT Jumpstart Program
The IoT Jumpstart Program is a collection of activities and services intended for customers with little or no experience in IoT security who want to gain a basic understanding of the steps they need to take to evaluate their IoT products for compliance — essentially helping them demonstrate that they have a fundamental understanding of IoT security.
An IoT Jumpstart Program project will likely include activities such as:
- Reviewing any existing or in-development security documents and processes related to IoT.
- Providing a checklist of security documents and processes required to pass an IoT security evaluation (customers should share with us what certifications/attestations of compliance they are working towards).
- Providing a white label template version for common documents and processes to the customer.
- These template documents can provide tips/advice/examples to aid you in completing the first draft of your own internal security document or process.
- Please note that adding the information and descriptions required in these templates must be completed by the customer to avoid conflicts of interest with any future validation activities we may deliver.
- Providing feedback, answering questions and/or reviewing documents created by you based on our templates to confirm that the documents capture the relevant information.
- Performing a final gap analysis based on your intended IoT security evaluation (e.g., Verified IoT Device Security Rating program, Design Lights Consortium (DLC) or ETSI EN 303 645) once documents have been completed and processes have been documented to give a clear view of what actions must be conducted in order to evaluate whether your IoT devices will be compliant with security requirements.
The main goal of the IoT Jumpstart Program is to provide you with a starting point for your IoT security compliance journey, as well as provide a direct line of communication with our technical experts to answer any basic questions.
Why UL Solutions for consumer device smart home cybersecurity
UL Solutions has extensive expertise in cybersecurity with a global network of IoT and OT security laboratories, security experts and advisors who offer specialized expertise in global security standards, frameworks and best practices for the smart home ecosystem. We can help companies define where they are in their cybersecurity maturity, understand what they will need to do to develop secure devices, manage digital identity of people and products, improve internal cybersecurity capabilities and processes, validate security built into their products throughout their lifecycle and differentiate their products based on security in the marketplace.