The SGS Internet of Things (IoT) Security Checked product testing and labeling program delivers the means for manufacturers and retailers to build trust into the IoT solutions they deliver into consumer markets worldwide. Consumers choosing products displaying the SGS IoT-Security Checked label get easy to read information that will help them in their buying decisions. Qualifying products have a label which clearly indicates that the item has been security assessed according to standardized recommendations relevant to its product category.
The depth of assessment and corresponding assurance level take into account the risk exposure of the application and how the product will be used.
We distinguish the assurance levels (basic, substantial and high) aligned with international regulations such as the EU Cybersecurity Act (EU CSA):
“To express the cybersecurity risk, a certificate may refer to three assurance levels (basic, substantial, high) that are commensurate with the level of the risk associated with the intended use of the product, service or process, in terms of the probability and impact of an incident. For example, a high assurance level means that the product that was certified has passed the highest security tests”
The SGS IoT-Security Checked program delivers significant added value to manufacturers, retailers and consumers, and is based on broadly accepted cybersecurity standards and regulations relevant for consumer IoT devices such as:
- ETSI EN 303 645
- NISTIR 8259A
- The UK IoT law currently in preparation
- California State Bill SB-327 (requirements are not explicit in this regulation)
This allows region specific or upcoming standards to be referenced in a flexible manner. At the same time, security related to the device, relation to any mobile app and IoT backend platform located in the cloud are also considered during assessment.
The combination of a questionnaire/interview/review-based approach, backed by independent conformity testing (for lower assurance levels) or independent third party conformity and security assessments (for higher assurance levels), allows the provision of a conformity verdict for each assurance level.
Manufacturers and retailers benefit from this structure as it helps to keep costs under control for products with low risk exposure.
The IoT-Security Checked product testing and labeling program provides a competitive edge to manufacturers and retailers by allowing them to better market their investments in cybersecurity, while consumers get easy to read details on the cybersecurity of products when making buying decisions.
The product test program for manufacturers or developers has four test levels, M0 to M3, with increasing level of assurance.
- M0 and M1: a questionnaire/interview/review-based conformity assessment supported by a partial vulnerability scanning/testing campaign for products with low risk exposure:
- Corresponds to assurance level “Basic”
- M2: a fully independent conformity assessment and testing campaign, in grey-box setup, for products with medium risk exposure:
- Corresponds to assurance level “Substantial”.
- M3: a comprehensive conformity assessment and testing campaign, backed by a penetration and security robustness testing campaign, for products with high risk exposure:
- Corresponds to assurance level “High”
On top we offer three further test levels targeting retailers:
- R0: a questionnaire/review-based conformity assessment for products with low risk exposure:
- Corresponds to assurance level “Basic”
- R1 (Selective testing focusing on frequent attacks) and R2 (Selective testing focusing on frequent attacks and best security practices), support retailers wanting to perform cybersecurity testing for production samples in a black-box setup where no further technical support from the manufacturer is required. These test campaigns provide already a good indication on the quality of the security implementation. Full standard conformity assessment coverage cannot be achieved for the test set-ups in R1 and R2.
Products that have successfully passed the test campaign qualify to display the SGS IoT-Security Checked label. Details of the device tested, the standards applied, the tests carried out and their validity are accessible via the QR-Code or the approval number printed on the product label.