As new smart features and internet connections are added to products, manufacturers and developers are angling for ways to show they’ve taken precautions to secure and protect their internet-connected devices.
One way to provide assurance to end-users is to demonstrate security best practices and third-party assurance. This is where global safety certification provider UL steps in with its new security verification and labeling solution, designed to help consumers steer clear of privacy-invasive software and cajole manufacturers that view privacy and security as an afterthought.
Known as IoT Security Rating, the solution helps manufacturers and developers demonstrate the security due diligence of their products by leveraging security best practices and rating the product’s “security posture.”
UL is filling the niche by lending its third-party assurance to GE Appliances’ range of connected household appliances—from dishwashers, washers and dryers to refrigerators, ovens, water heaters and water softeners.
Products are evaluated for baseline security capabilities and protection of the consumer’s data at the appliance, as well as for the way data is transferred and shared on the GE Appliances mobile app and in the cloud. They are then classified according to a five-level scale: Bronze, Silver, Gold, Platinum and Diamond. Once a product is verified it receives a differentiated UL Verified Mark security label and will be evaluated on an ongoing basis by UL.
“Given the way that IoT and connected products are expanding these days, security has become a part of safety,” says Michael Jensen, global marketing lead, Cybersecurity, UL. “One of the challenges is that the innovation in IoT connectivity has expanded faster than regulatory involvement. And there haven’t been requirements from a governmental perspective or from an industry consensus perspective.”
There’s value for manufacturers and retailers in being able to communicate secure, connected products. Poorly-secured IoT devices are easy prey for hackers, says Jensen, noting that UL’s rating system can help manufacturers compete and differentiate their products through the technical capabilities they’re building into the products.
The verification process helps demonstrate security compliance for meeting the threshold of reasonable security features, as required of manufacturers in the first legally binding regulations for consumer IoT in the California and Oregon Cybersecurity Bills that went into effect Jan. 1.
UL is also aligning its security capabilities with global industry frameworks and best practices, such as the National Institute of Standards and Technology’s Core Cybersecurity Feature Baseline for Securable IoT Devices: A Starting Point for IoT Device Manufacturers (draft NISTIR 8259); the European Telecommunications Standards Institute’s Cyber Security for Consumer Internet of Things (ETSI TS 103 645); and the Council to Secure the Digital Economy’s C2 Consensus on IoT Device Baseline Security (CSDE C2 Consensus).
UL’s white paper, “IoT Security: Top 20 Design Principles,” outlines some simple steps to follow as a way to increase the security for all aspects of a system.
