Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

01:19 PM

Cybersecurity Certification in the Spotlight Again

Swiss technology non-profit group joins others, such as the Obama-era President's Commission, in recommending that certain classes of technology products be tested.

The case for certifying the cybersecurity of specific classes of devices is gaining momentum as cybersecurity professionals worry that the growing number of interdependencies between software, hardware, and online services, puts consumers and workers at risk.

This week, a group of 14 cybersecurity experts at the Supply Chain Security working group of the Cybersecurity Commission of ICTswitzerland called for that country's government to work to establish a testing and certification authority for the nation. The group is not alone: In 2016, the Commission on Enhancing National Cybersecurity formed by the Obama Administration called for similar certification of consumer technology and the creation of a "nutrition label" to collect simple cybersecurity metrics. In addition, other testing initiatives—from NetSecOPEN to the Cyber ITL—are aiming to shed more light on a variety of classes of products. 

The Swiss cybersecurity group aims to test products, evaluate source code, and prevent the insertion of malicious code into critical devices and applications, says Stefan Frei, cybersecurity principal at Accenture and head of the supply chain security group at ICT Switzerland. 

"Looking at supply-chain security, [cybersecurity is] a huge problem—we deploy anything that is given us without thinking," he says. "If those devices are already compromised ... because we have more cyber-physical applications, the result of attacks on that infrastructure is physical harm." 

IoT's Influence

The latest call for cybersecurity certification of products comes as three technology trends are gaining steam. 

First, an increasing number of devices are becoming part of the Internet-of-things—embedded with a processor and connected to the Internet—expanding the attackable surface area of businesses and consumer households alike. There will be more than 25 billion connected devices in 2020, according to business intelligence firm Gartner.

Because more consumer appliances, such as TVs and refrigerators, and industrial devices such as machine controllers and environmental monitors are becoming "smart," untested technology is also becoming embedded in many devices with long lifespans or use-cycles. Non-critical personal electronics typically are replaced every few years. Smartphones, for example, have the shortest lifespan, being replaced every three years on average, while desktop computers last five or six years, according to survey data from small-business IT information firm Spiceworks. Household appliances typically last 10 years and cars last 15 to 17 years on average.

Finally, the deployment of such connected technology into devices that can have a physical impact means that cyber-physical attacks are now a reality. An online attacker's actions can have real-world consequences.

Because there has been little oversight of the technology incorporated into companies' infrastructure and consumer households, the ICTswitzerland report argues that its likely that many organizations have already been compromised.  

"In the absence of a reliable quality inspection of digital products, we have to assume that compromised components are already in use today," the group said. "Further compromised components will be added continuously, sometimes in critical functions."

The group of cybersecurity professionals called for a non-profit testing firm, funded by the companies whose products it tests, to review source code and configurations, to analyze and reverse engineer, and to conduct risk assessments. All testing would be open and the results published. 

The certification authority would work even if it could not test every product, Frei says.

"You don't need to test everything," he says. "The police do not need to have radar at every intersection to prevent speeding. You just need periodic checks."

'Nutrition Labels'

The idea for creating a testing and certification center is not new. The Obama Administration's Report on the President's Commission on Enhancing National Cybersecurity included, among its recommendations, the creation of testing and certification groups that could produce cybersecurity "nutrition labels" to allow consumers to compare technology services and products. 

The current "lack of information leaves most consumers unaware of the risks associated with using technology products and services, how these risks might easily be reduced, or how competing products’ security characteristics compare with each other," the report stated. "Making matters worse, security considerations increasingly may lead to safety concerns, as many Internet-enabled devices can affect the world physically."

While a broad certification system for electronic devices has not been created yet, a number of private organizations and businesses have arisen to test the cybersecurity capabilities of certain classes of—mostly security—products. 

AV-Test and AV-Comparatives both test anti-virus products, while groups such as the ICSA Labs, UL Labs, and NSS Labs both do independent testing of broader classes of products. Because such groups typically may not have open methodologies, various industries have also created their own groups to either inform testing or set industry-approved standards for testing.

The Cellular Telecommunications Industry Association (CTIA), for example, maintains the CTIA’s Cybersecurity Certification Program for wireless devices, and the Anti-Malware Testing Standards Organization (AMTSO) sets industry-approved standards for testing antivirus products.

Related Content

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "The Beginner's Guide to Denial-of-Service Attacks: A Breakdown of Shutdowns"

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
10/24/2019 | 6:36:19 AM
How to gain knowledge

Very informative

<a href="https://www.kaashivinfotech.com/iot-internship/"> iot internships </a>
<a href="https://www.kaashivinfotech.com/inplant-training-in-chennai-for-it/"> inplant training in chennai </a>
<a href="https://www.kaashivinfotech.com/internship-for-automobile-engineering-students/"> internship for automobile engineering students </a>
<a href="https://www.kaashivinfotech.com/internship-for-mca-students/"> internship for mca students in chennai </a>
<a href="https://www.kaashivinfotech.com/internship-for-eee-students/">internship for eee students </a>
<a href="https://www.kaashivinfotech.com/internship-for-aeronautical-engineering-students/"> internship for aeronautical engineering students </a>
<a href="https://www.kaashivinfotech.com/inplant-training-report-for-civil-engineering-students/"> inplant training report for civil engineering </a>
<a href="https://www.kaashivinfotech.com/internship-with-stipend-for-ece-in-chennai/"> internship for ece students in chennai with stipend </a>
<a href="https://www.kaashivinfotech.com/tag/summer-training-for-ece-students-after-second-year/"> summer training for ece students after second year </a>
<a href="https://www.kaashivinfotech.com/python-internship/"> python internship </a>
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Another COVID-19 Side Effect: Rising Nation-State Cyber Activity
Stephen Ward, VP, ThreatConnect,  7/1/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-07
An issue was discovered in CMSUno before 1.6.1. uno.php allows CSRF to change the admin password.
PUBLISHED: 2020-07-07
Victor CMS through 2019-02-28 allows XSS via the register.php user_firstname or user_lastname field.
PUBLISHED: 2020-07-07
A memory leak in Openthread's wpantund versions up to commit 0e5d1601febb869f583e944785e5685c6c747be7, when used in an environment where wpanctl is directly interfacing with the control driver (eg: debug environments) can allow an attacker to crash the service (DoS). We recommend updating, or to res...
PUBLISHED: 2020-07-07
Gossipsub 1.0 does not properly resist invalid message spam, such as an eclipse attack or a sybil attack.
PUBLISHED: 2020-07-07
A SQLi exists in the probe code of all Connectwise Automate versions before 2020.7 or 2019.12. A SQL Injection in the probe implementation to save data to a custom table exists due to inadequate server side validation. As the code creates dynamic SQL for the insert statement and utilizes the user su...